what's cause the TCP DDoS problems? How do I protect from TCP DDoS attacks? I suspect this cause my BGP session was broken. during the DDOS attack, my router BGP session was broken. I believe these attacks cause my BGP session was broken. I was unable to log in to my router during the attack
RE0> show ddos-protection protocols statistics terse
Packet types: 222, Received traffic: 59, Currently violated: 0
Protocol Packet Received Dropped Rate Violation State
group type (packets) (packets) (pps) counts
resolve aggregate 8137425324 685090326 366 726 ok
resolve ucast-v4 8137425323 685090326 366 1276 ok
resolve ucast-v6 1 0 0 0 ok
dhcpv4 aggregate 52158562 1685 4 0 ok
dhcpv4 discover 50782263 0 4 0 ok
dhcpv4 offer 460882 0 0 0 ok
dhcpv4 request 443828 0 0 0 ok
dhcpv4 decline 95 0 0 0 ok
dhcpv4 ack 448871 0 0 0 ok
dhcpv4 nak 4906 0 0 0 ok
dhcpv4 release 522 0 0 0 ok
dhcpv4 inform 3566 0 0 0 ok
dhcpv4 renew 8753 0 0 0 ok
dhcpv4 bad-pack.. 1685 1685 0 64 ok
dhcpv4 rebind 3191 0 0 0 ok
icmp aggregate 1221962486 0 174 0 ok
igmp aggregate 3122852 0 0 0 ok
ospf aggregate 1678 0 0 0 ok
pim aggregate 12 0 0 0 ok
rip aggregate 41 0 0 0 ok
bfd aggregate 29644 0 0 0 ok
lmp aggregate 12 0 0 0 ok
ldp aggregate 22797 0 0 0 ok
msdp aggregate 24264 0 0 0 ok
bgp aggregate 41904919 0 6 0 ok
telnet aggregate 386295 0 0 0 ok
ftp aggregate 5551851 0 0 0 ok
ssh aggregate 2822632 0 1 0 ok
snmp aggregate 2624656497 0 751 0 ok
ancp aggregate 21169 0 0 0 ok
bgpv6 aggregate 485903 0 0 0 ok
lacp aggregate 89319950 0 8 0 ok
arp aggregate 8229529202 0 1012 0 ok
pvstp aggregate 64620343 0 6 0 ok
mlp aggregate 141237042 0 1 0 ok
mlp lookup 12138852 0 0 0 ok
mlp add 64681327 0 0 0 ok
mlp delete 64416863 0 0 0 ok
ttl aggregate 779104914 1393931 67 20 ok
ip-opt aggregate 19854 0 0 0 ok
ip-opt unclass.. 19854 0 0 0 ok
redirect aggregate 9816879 0 0 0 ok
reject aggregate 6536683 6067052 0 2 ok
tcp-flags aggregate 1520942499 377562629 3 38 ok
tcp-flags initial 7136 0 0 0 ok
tcp-flags establish 1520935363 377562629 3 13 ok
radius aggregate 406 0 0 0 ok
radius server 129 0 0 0 ok
radius account.. 204 0 0 0 ok
radius auth.. 73 0 0 0 ok
ntp aggregate 21718 0 0 0 ok
tacacs aggregate 76681 0 0 0 ok
dns aggregate 1557643 0 0 0 ok
diameter aggregate 128 0 0 0 ok
gre hbc 17 0 0 0 ok
uncls aggregate 20065494 0 1 0 ok
uncls host-rt-v4 20065494 0 1 0 ok
rejectv6 aggregate 1 0 0 0 ok
amtv4 aggregate 55 0 0 0 ok
{master}
because of security reason, I replace some IP and AS number with XXX
Apr 4 03:30:18.835 2021 RE0 jddosd[16446]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception TCP-Flags:aggregate exceeded its allowed bandwidth at routing-engine for 20 times, started at 2021-04-04 03:30:18 CSTApr 4 03:30:34.609 2021 RE0 rpd[16426]: %DAEMON-4-BGP_IO_ERROR_CLOSE_SESSION: BGP peer 172.16.12.22 (Internal AS XXXXX): Error event Operation timed out(60) for I/O session - closing it
Apr 4 03:30:34.609 2021 RE0 rpd[16426]: %DAEMON-4: bgp_io_mgmt_cb:1974: NOTIFICATION sent to 172.16.12.22 (Internal AS XXXXX): code 4 (Hold Timer Expired Error), Reason: holdtime expired for 172.16.12.22 (Internal AS XXXXX), socket buffer sndacc: 0 rcvacc: 0 , socket buffer sndccc: 0 rcvccc: 0 TCP state: 4, snd_una: 1237206361 snd_nxt: 1237206361 snd_wnd: 16587 rcv_nxt: 2821666337 rcv_adv: 2821682721, hold timer 90s, hold timer remain 0s, last sent 5s, TCP port (local 57977, remote 179), JSR handle (primary 648518350166556673, secondary 648518350166556673)
Apr 4 03:30:34.609 2021 RE0 rpd[16426]: %DAEMON-4-RPD_BGP_NEIGHBOR_STATE_CHANGED: BGP peer 172.16.12.22 (Internal AS XXXXX) changed state from Established to Idle (event HoldTime) (instance master)