Routing
Routing

DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Rejectv6 Drops _some_ customers behind router 4 seconds.

‎01-05-2019 08:41 PM

I've been experiancing some strange issues and countless sleepless nights trying to find the root cause. I don't know much about ddos-protection settings and what would be the best way to resolve this issue below.

 ddos-protection {
        global {
            flow-detection;
            flow-report-rate 1000;

#
The xe-0/0/0 interface is a Peering Exchange where I peer with v4 and v6 neighbors.
ae0.0 is an ISP.
#

Jan  5 22:41:08  xe-2-0-0. jddosd[1546]: DDOS_SCFD_FLOW_FOUND: A new flow of protocol Rejectv6:aggregate on xe-0/0/0.0 with source addr 2607:f8b0:4006:080f:0000:0000:002019-01-05 22:41:04 EST is found at 2019-01-05 22:41:04 EST
Jan  5 22:41:08  xe-2-0-0. jddosd[1546]: DDOS_SCFD_FLOW_FOUND: A new flow of protocol Rejectv6:aggregate on xe-0/0/0.0 with source addr 2001:0438:fffe:0000:0000:0000:002019-01-05 22:41:06 EST is found at 2019-01-05 22:41:06 EST
Jan  5 22:41:09  xe-2-0-0. jddosd[1546]: DDOS_SCFD_FLOW_FOUND: A new flow of protocol Rejectv6:aggregate on xe-0/0/0.0 with source addr 2001:0503:231d:0000:0000:0000:002019-01-05 22:41:07 EST is found at 2019-01-05 22:41:07 EST
Jan  5 22:41:10  xe-2-0-0. jddosd[1546]: DDOS_SCFD_FLOW_FOUND: A new flow of protocol Rejectv6:aggregate on xe-0/0/0.0 with source addr 2607:f8b0:400d:0c0f:0000:0000:002019-01-05 22:41:05 EST is found at 2019-01-05 22:41:05 EST
Jan  5 22:41:11  xe-2-0-0. jddosd[1546]: DDOS_SCFD_FLOW_FOUND: A new flow of protocol Rejectv6:aggregate on xe-0/0/0.0 with source addr 2001:0503:a83e:0000:0000:0000:002019-01-05 22:41:07 EST is found at 2019-01-05 22:41:07 EST
Jan  5 22:41:12  xe-2-0-0. jddosd[1546]: DDOS_SCFD_FLOW_FOUND: A new flow of protocol Rejectv6:aggregate on xe-0/0/0.0 with source addr 2607:f8b0:4006:081a:0000:0000:002019-01-05 22:41:09 EST is found at 2019-01-05 22:41:09 EST
Jan  5 22:41:12  xe-2-0-0. jddosd[1546]: DDOS_SCFD_FLOW_FOUND: A new flow of protocol Rejectv6:aggregate on ae0.0 with source addr 2a00:86c0:1003:1003:0000:0000:002019-01-05 22:41:08 EST is found at 2019-01-05 22:41:08 EST

Jan  5 22:42:13  xe-2-0-0. jddosd[1546]: DDOS_SCFD_FLOW_RETURN_NORMAL: A flow of protocol Rejectv6:aggregate on xe-0/0/0.0 with source addr 2a03:2880:f001:000b:face:b00c:002019-01-05 22:41:02 EST returned normal and is removed from monitoring. Found at 2019-01-05 22:41:02 EST, last observed at 2019-01-05 22:41:12 EST
Jan  5 22:46:10  xe-2-0-0. jddosd[1546]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Rejectv6:aggregate has returned to normal. Violated at fpc 0 for 4928 times, from 2019-01-05 22:41:02 EST to 2019-01-05 22:41:09 EST



this seems to violate rejectv6:aggreate which also violates the fpc. The 3-4 seconds of fpc violation cause a downtime for some systems behind the router. It's super annoying and I would like some feedback on ddos-protection recomended settings and possibly why are the above errors even coming in the interface and what do they mean?

5 REPLIES 5
Routing

Re: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Rejectv6 Drops _some_ customers behind router 4 seconds.

‎01-05-2019 09:29 PM

Hello,

Do You have either one of below features enabled:

1/ a "family inet6" firewall filter with "then reject" action

2/ an IPv6 aggregate route looking like 

 

set routing-options rib inet6.0 aggegate route ::/0  ## NOTE : NOTHING AFTER MASK !

 

As 1st step towards resolution, I'd suggest You tighten the rejectv6 aggregate policer (default 2Kpps with 10Kpacket burst):

 

set system ddos-protection protocols rejectv6 aggregate bandwidth 100 
set system ddos-protection protocols rejectv6 aggregate burst 100   

You can read more about different Trio DDOS protocols here https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-ddos-protoco...

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Routing

Re: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Rejectv6 Drops _some_ customers behind router 4 seconds.

[ Edited ]
‎01-06-2019 10:37 AM

 

I've applied the settings you recomended. I've also noticed my MX80 applies this filter ok, but the router in question MX104 is not applying this filter correctly. (see below).

 

Below is my static v6 routes. However they have been like this for a long time without previous issues.

 

routing-options {
    rib inet6.0 {
        static {
            route 2602:XXXX::/36 discard;
            route 2001:XXXX:XXXX::/40 discard;
            route 2602:XXXX:XXXX:507::/64 next-hop 2602:XXXX:0:1507::;
            route 2602:XXXX:XXXX::/48 next-hop 2602:XXXX:XXXX:7777::1;
            route 2001:XXXX:XXXX::/48 discard;

 

 

 

set policy-options prefix-list BGPv6-NEIGHBORS apply-path "protocols bgp group <*> neighbor <*:*>"

set interfaces lo0 unit 0 family inet6 filter input ProtectREv6
firewall {
family inet6 {
filter ProtectREv6 {
term ospfv3 {
from {
source-address {
fe80::/10;
}
next-header ospf;
}
then accept;
}
term bgpv6-connect {
from {
source-prefix-list {
BGPv6-NEIGHBORS;
}
next-header tcp;
destination-port bgp;
}
then accept;
}
term icmpv6 {
from {
payload-protocol icmp6;
}
then accept;
}
term default {
then {
count discardfilterv6;
discard;
}
}
}
}



# show interfaces filters lo0
Interface       Admin Link Proto Input Filter         Output Filter
lo0             up    up
lo0.0           up    up   inet  ProtectRE
                           inet6


It's not applying the filter?

 

 Filter ProtectREv6 is Trio specific; will not get installed on DPCs for interface lo0

Routing

Re: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Rejectv6 Drops _some_ customers behind router 4 seconds.

‎01-07-2019 08:53 AM

Hello,

 


@showmetalent wrote:

 

I've also noticed my MX80 applies this filter ok, but the router in question MX104 is not applying this filter correctly. (see below).

<skip> 

It's not applying the filter?

 


 Loopback filter is (1) unrelated to Trio DDOS feature and (2) executed before Trio DDOS policers.

HTH

Thx
Alex

 

 

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Routing

Re: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Rejectv6 Drops _some_ customers behind router 4 seconds.

‎01-07-2019 05:01 PM

This was the error I seen from show log messages, So I'm assuming its valid? Why would it be complaining? We are slated to upgrade firmware soon but before I wanted to assure this was solved.

Routing

Re: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Rejectv6 Drops _some_ customers behind router 4 seconds.

[ Edited ]
‎01-07-2019 11:12 PM

Hello there,

If You are asking about this message

 

Filter ProtectREv6 is Trio specific; will not get installed on DPCs for interface lo0

- then MX80 and MX104 do not support DPC cards and should not log this message. 

Are You still seeing the customer outages _AND_ DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Rejectv6 messages after changing the policer?

HTH

Thx

Alex

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !