Junos OS

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about Junos OS.
  • 1.  DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate

    Posted 11-27-2014 01:30

    Hi,

     

    I'm getting lots of this kind messages:

     

    jddosd[1460]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 0 for 1448 times, started at 2014-11-27 10:56:58 EET

     

    jddosd[1460]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 0 for 1448 times, from 2014-11-27 10:56:58 EET to 2014-11-27 11:02:38 EET

     

    and I can't figure out: why? Could you point me to the right direction please?

     

    Packet Forwarding Engine traffic statistics:
    Input packets: 15240676085 17916 pps
    Output packets: 21412011088 24572 pps
    Packet Forwarding Engine local traffic statistics:
    Local packets input : 15544166
    Local packets output : 29380069
    Software input control plane drops : 0
    Software input high drops : 0
    Software input medium drops : 0
    Software input low drops : 0
    Software output drops : 0
    Hardware input drops : 0
    Packet Forwarding Engine local protocol statistics:
    HDLC keepalives : 0
    ATM OAM : 0
    Frame Relay LMI : 0
    PPP LCP/NCP : 0
    OSPF hello : 1702744
    OSPF3 hello : 0
    RSVP hello : 0
    LDP hello : 0
    BFD : 0
    IS-IS IIH : 0
    LACP : 0
    ARP : 286860
    ETHER OAM : 0
    Unknown : 10
    Packet Forwarding Engine hardware discard statistics:
    Timeout : 0
    Truncated key : 0
    Bits to test : 0
    Data error : 0
    Stack underflow : 0
    Stack overflow : 0
    Normal discard : 11094859
    Extended discard : 0
    Invalid interface : 0
    Info cell drops : 0
    Fabric drops : 0
    Packet Forwarding Engine Input IPv4 Header Checksum Error and Output MTU Error statistics:
    Input Checksum : 0
    Output MTU : 0

     

    Packet types: 1, Modified: 0, Received traffic: 1, Currently violated: 0
    Currently tracked flows: 0, Total detected flows: 0
    * = User configured value

    Protocol Group: Reject

    Packet type: aggregate (Aggregate for v4 all reject traffic)
    Aggregate policer configuration:
    Bandwidth: 2000 pps
    Burst: 10000 packets
    Recover time: 300 seconds
    Enabled: Yes
    Flow detection configuration:
    Detection mode: Automatic Detect time: 3 seconds
    Log flows: Yes Recover time: 60 seconds
    Timeout flows: No Timeout time: 300 seconds
    Flow aggregation level configuration:
    Aggregation level Detection mode Control mode Flow rate
    Subscriber Automatic Drop 10 pps
    Logical interface Automatic Drop 10 pps
    Physical interface Automatic Drop 2000 pps
    System-wide information:
    Aggregate bandwidth is no longer being violated
    No. of FPCs that have received excess traffic: 1
    Last violation started at: 2014-11-27 11:15:03 EET
    Last violation ended at: 2014-11-27 11:22:18 EET
    Duration of last violation: 00:07:15 Number of violations: 1449
    Received: 35017543 Arrival rate: 19 pps
    Dropped: 195341 Max arrival rate: 3398 pps
    Routing Engine information:
    Bandwidth: 2000 pps, Burst: 10000 packets, enabled
    Aggregate policer is never violated
    Received: 0 Arrival rate: 0 pps
    Dropped: 0 Max arrival rate: 0 pps
    Dropped by individual policers: 0
    FPC slot 0 information:
    Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled
    Aggregate policer is no longer being violated
    Last violation started at: 2014-11-27 11:15:03 EET
    Last violation ended at: 2014-11-27 11:22:18 EET
    Duration of last violation: 00:07:15 Number of violations: 1449
    Received: 35017543 Arrival rate: 19 pps
    Dropped: 195341 Max arrival rate: 3398 pps
    Dropped by individual policers: 0
    Dropped by aggregate policer: 195341
    Dropped by flow suppression: 0
    Flow counts:
    Aggregation level Current Total detected State
    Subscriber 0 0 Active

     



  • 2.  RE: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate

    Posted 11-27-2014 19:11

    anyone?

    To mee it seem like not really to be related to some kind of ddos, but to some other reason..

    kind of routes flap or somthing. Nothing useful in logs though.

    In the same time I do not have any reject rules in firewall.

    I'm running setup with 2 RRs with 3 clients connected to each of them.

    OSPF advertises loopbacks, iBGP other stuff.



  • 3.  RE: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
    Best Answer

    Posted 11-29-2014 06:31

    Resolved.

     

    The default action for aggregate route is to reject anything, that does not hit more specific route from aggregated route. 

    So basically when you have an access network with clients in it and suddenly you lose it (company decides to stop this service ie), those IP-s keep being under resolve by torrents, maleware, viruses etc and as you do not have those specific routes in routing table anymore, router keeps REJECTing them as it is default action. So to solve this:

     

    set routing-options protocol aggregate defaults discard

     

    and forget of this. Anyway any reject action is a vector for attack, so try to keep your core systems without any rejects...

     

    Thanks to Saku Ytti for great help in pointing me to the right directions.

    His article http://blog.ip.fi/2014/02/junos-l3-incompletes-what-and-why.html and personal help were priceless during this case.

     



  • 4.  RE: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate

     
    Posted 08-20-2019 21:27


  • 5.  RE: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate

     
    Posted 08-21-2019 21:47


  • 6.  RE: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate

     
    Posted 08-21-2019 21:53

    Arix,

     

    Open a new thread, as solutiuon has been already accepted on this thread.

     

    And as a good practice- close your threads with solution accepted where solution has been provided to you.

     

    Tks,

    Abhishek.



  • 7.  RE: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate

     
    Posted 08-22-2019 03:55

    okay... opened a new case... thanks