Routing

Expand all | Collapse all

mx ddos protection alarm with Host-bound traffic for protocol/exception TCP-Flags:aggregate exceeded its allowed bandwidth at routing-engine

Jump to Best Answer
  • 1.  mx ddos protection alarm with Host-bound traffic for protocol/exception TCP-Flags:aggregate exceeded its allowed bandwidth at routing-engine

    Posted 19 days ago
    what's cause the TCP DDoS problems? How do I protect from TCP DDoS attacks? I suspect this cause my BGP session was broken. during the DDOS attack, my router BGP session was broken. I believe these attacks cause my BGP session was broken.   I was unable to log in to my router during the attack

    RE0> show ddos-protection protocols statistics terse
    Packet types: 222, Received traffic: 59, Currently violated: 0

    Protocol Packet Received Dropped Rate Violation State
    group type (packets) (packets) (pps) counts
    resolve aggregate 8137425324 685090326 366 726 ok
    resolve ucast-v4 8137425323 685090326 366 1276 ok
    resolve ucast-v6 1 0 0 0 ok
    dhcpv4 aggregate 52158562 1685 4 0 ok
    dhcpv4 discover 50782263 0 4 0 ok
    dhcpv4 offer 460882 0 0 0 ok
    dhcpv4 request 443828 0 0 0 ok
    dhcpv4 decline 95 0 0 0 ok
    dhcpv4 ack 448871 0 0 0 ok
    dhcpv4 nak 4906 0 0 0 ok
    dhcpv4 release 522 0 0 0 ok
    dhcpv4 inform 3566 0 0 0 ok
    dhcpv4 renew 8753 0 0 0 ok
    dhcpv4 bad-pack.. 1685 1685 0 64 ok
    dhcpv4 rebind 3191 0 0 0 ok
    icmp aggregate 1221962486 0 174 0 ok
    igmp aggregate 3122852 0 0 0 ok
    ospf aggregate 1678 0 0 0 ok
    pim aggregate 12 0 0 0 ok
    rip aggregate 41 0 0 0 ok
    bfd aggregate 29644 0 0 0 ok
    lmp aggregate 12 0 0 0 ok
    ldp aggregate 22797 0 0 0 ok
    msdp aggregate 24264 0 0 0 ok
    bgp aggregate 41904919 0 6 0 ok
    telnet aggregate 386295 0 0 0 ok
    ftp aggregate 5551851 0 0 0 ok
    ssh aggregate 2822632 0 1 0 ok
    snmp aggregate 2624656497 0 751 0 ok
    ancp aggregate 21169 0 0 0 ok
    bgpv6 aggregate 485903 0 0 0 ok
    lacp aggregate 89319950 0 8 0 ok
    arp aggregate 8229529202 0 1012 0 ok
    pvstp aggregate 64620343 0 6 0 ok
    mlp aggregate 141237042 0 1 0 ok
    mlp lookup 12138852 0 0 0 ok
    mlp add 64681327 0 0 0 ok
    mlp delete 64416863 0 0 0 ok
    ttl aggregate 779104914 1393931 67 20 ok
    ip-opt aggregate 19854 0 0 0 ok
    ip-opt unclass.. 19854 0 0 0 ok
    redirect aggregate 9816879 0 0 0 ok
    reject aggregate 6536683 6067052 0 2 ok
    tcp-flags aggregate 1520942499 377562629 3 38 ok
    tcp-flags initial 7136 0 0 0 ok
    tcp-flags establish 1520935363 377562629 3 13 ok
    radius aggregate 406 0 0 0 ok
    radius server 129 0 0 0 ok
    radius account.. 204 0 0 0 ok
    radius auth.. 73 0 0 0 ok
    ntp aggregate 21718 0 0 0 ok
    tacacs aggregate 76681 0 0 0 ok
    dns aggregate 1557643 0 0 0 ok
    diameter aggregate 128 0 0 0 ok
    gre hbc 17 0 0 0 ok
    uncls aggregate 20065494 0 1 0 ok
    uncls host-rt-v4 20065494 0 1 0 ok
    rejectv6 aggregate 1 0 0 0 ok
    amtv4 aggregate 55 0 0 0 ok

    {master}

    because of security reason, I replace some IP and AS number with XXX

    Apr 4 03:30:18.835 2021 RE0 jddosd[16446]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception TCP-Flags:aggregate exceeded its allowed bandwidth at routing-engine for 20 times, started at 2021-04-04 03:30:18 CST
    Apr 4 03:30:34.609 2021 RE0 rpd[16426]: %DAEMON-4-BGP_IO_ERROR_CLOSE_SESSION: BGP peer 172.16.12.22 (Internal AS XXXXX): Error event Operation timed out(60) for I/O session - closing it
    Apr 4 03:30:34.609 2021 RE0 rpd[16426]: %DAEMON-4: bgp_io_mgmt_cb:1974: NOTIFICATION sent to 172.16.12.22 (Internal AS XXXXX): code 4 (Hold Timer Expired Error), Reason: holdtime expired for 172.16.12.22 (Internal AS XXXXX), socket buffer sndacc: 0 rcvacc: 0 , socket buffer sndccc: 0 rcvccc: 0 TCP state: 4, snd_una: 1237206361 snd_nxt: 1237206361 snd_wnd: 16587 rcv_nxt: 2821666337 rcv_adv: 2821682721, hold timer 90s, hold timer remain 0s, last sent 5s, TCP port (local 57977, remote 179), JSR handle (primary 648518350166556673, secondary 648518350166556673)
    Apr 4 03:30:34.609 2021 RE0 rpd[16426]: %DAEMON-4-RPD_BGP_NEIGHBOR_STATE_CHANGED: BGP peer 172.16.12.22 (Internal AS XXXXX) changed state from Established to Idle (event HoldTime) (instance master)


  • 2.  RE: mx ddos protection alarm with Host-bound traffic for protocol/exception TCP-Flags:aggregate exceeded its allowed bandwidth at routing-engine
    Best Answer

    Posted 19 days ago
    I think there are TCP establish attacks. because in my RE filter protection. I accepted establish TCP packet. Now, I disable it, I think it should be work. it will prevent this attack