I'm getting lots of this kind messages:
jddosd: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 0 for 1448 times, started at 2014-11-27 10:56:58 EET
jddosd: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 0 for 1448 times, from 2014-11-27 10:56:58 EET to 2014-11-27 11:02:38 EET
and I can't figure out: why? Could you point me to the right direction please?
Packet Forwarding Engine traffic statistics: Input packets: 15240676085 17916 pps Output packets: 21412011088 24572 ppsPacket Forwarding Engine local traffic statistics: Local packets input : 15544166 Local packets output : 29380069 Software input control plane drops : 0 Software input high drops : 0 Software input medium drops : 0 Software input low drops : 0 Software output drops : 0 Hardware input drops : 0Packet Forwarding Engine local protocol statistics: HDLC keepalives : 0 ATM OAM : 0 Frame Relay LMI : 0 PPP LCP/NCP : 0 OSPF hello : 1702744 OSPF3 hello : 0 RSVP hello : 0 LDP hello : 0 BFD : 0 IS-IS IIH : 0 LACP : 0 ARP : 286860 ETHER OAM : 0 Unknown : 10Packet Forwarding Engine hardware discard statistics: Timeout : 0 Truncated key : 0 Bits to test : 0 Data error : 0 Stack underflow : 0 Stack overflow : 0 Normal discard : 11094859 Extended discard : 0 Invalid interface : 0 Info cell drops : 0 Fabric drops : 0Packet Forwarding Engine Input IPv4 Header Checksum Error and Output MTU Error statistics: Input Checksum : 0 Output MTU : 0
Packet types: 1, Modified: 0, Received traffic: 1, Currently violated: 0Currently tracked flows: 0, Total detected flows: 0* = User configured value
Protocol Group: Reject
Packet type: aggregate (Aggregate for v4 all reject traffic) Aggregate policer configuration: Bandwidth: 2000 pps Burst: 10000 packets Recover time: 300 seconds Enabled: Yes Flow detection configuration: Detection mode: Automatic Detect time: 3 seconds Log flows: Yes Recover time: 60 seconds Timeout flows: No Timeout time: 300 seconds Flow aggregation level configuration: Aggregation level Detection mode Control mode Flow rate Subscriber Automatic Drop 10 pps Logical interface Automatic Drop 10 pps Physical interface Automatic Drop 2000 pps System-wide information: Aggregate bandwidth is no longer being violated No. of FPCs that have received excess traffic: 1 Last violation started at: 2014-11-27 11:15:03 EET Last violation ended at: 2014-11-27 11:22:18 EET Duration of last violation: 00:07:15 Number of violations: 1449 Received: 35017543 Arrival rate: 19 pps Dropped: 195341 Max arrival rate: 3398 pps Routing Engine information: Bandwidth: 2000 pps, Burst: 10000 packets, enabled Aggregate policer is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Dropped by individual policers: 0 FPC slot 0 information: Bandwidth: 100% (2000 pps), Burst: 100% (10000 packets), enabled Aggregate policer is no longer being violated Last violation started at: 2014-11-27 11:15:03 EET Last violation ended at: 2014-11-27 11:22:18 EET Duration of last violation: 00:07:15 Number of violations: 1449 Received: 35017543 Arrival rate: 19 pps Dropped: 195341 Max arrival rate: 3398 pps Dropped by individual policers: 0 Dropped by aggregate policer: 195341 Dropped by flow suppression: 0 Flow counts: Aggregation level Current Total detected State Subscriber 0 0 Active
To mee it seem like not really to be related to some kind of ddos, but to some other reason..
kind of routes flap or somthing. Nothing useful in logs though.
In the same time I do not have any reject rules in firewall.
I'm running setup with 2 RRs with 3 clients connected to each of them.
OSPF advertises loopbacks, iBGP other stuff.
The default action for aggregate route is to reject anything, that does not hit more specific route from aggregated route.
So basically when you have an access network with clients in it and suddenly you lose it (company decides to stop this service ie), those IP-s keep being under resolve by torrents, maleware, viruses etc and as you do not have those specific routes in routing table anymore, router keeps REJECTing them as it is default action. So to solve this:
set routing-options protocol aggregate defaults discard
and forget of this. Anyway any reject action is a vector for attack, so try to keep your core systems without any rejects...
Thanks to Saku Ytti for great help in pointing me to the right directions.
His article http://blog.ip.fi/2014/02/junos-l3-incompletes-what-and-why.html and personal help were priceless during this case.
Open a new thread, as solutiuon has been already accepted on this thread.
And as a good practice- close your threads with solution accepted where solution has been provided to you.
okay... opened a new case... thanks