Junos OS

jddosd[3276]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception resolve:ucast-v4 has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 18 times, from 2019-01-09 23:38:30 CST to 2019-01-10 00:06:51 CST

when I see these log from the start time and end time, I can't ssh login router. what's resolve ucast-v4 packet? I don't understand please help thanks so much

Generally, those log messages are telling you that the device is blocking some sort of traffic from itself (the routing engine). There are pre-set filters and limits to protect the chassis and CPU from something hitting it.

From: https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-ddos-protocols.html

resolve—The following packet types are available for unclassified resolve packets, which are sent to the host because of a traffic request resolve action:

• mcast-v4—Unclassified IPv4 multicast resolve packets.

• mcast-v6—Unclassified IPv6 multicast resolve packets.

• ucast-v4—Unclassified IPv4 unicast resolve packets.

• ucast-v6—Unclassified IPv6 unicast resolve packets.

• other—All other unclassified resolve packets.

Unfortunately, I am not sure what traffic exactly it's protecting itself against as it seems ucast-v4 is a catch-all for un-grouped services (NTP, DHCP, SSH, for example, are not part of this). You may need to perform a packet capture or create a filter and log traffic destined to the loopback or local interface in order to see what exactly is causing this to go off. If you have NetFlow enabled it may also expose what's causing the system to protect itself.

Hello,

Most likely, someone from internet is sending You copious amounts of packets towards non-existent addresses.

Example being:

1/ Your connected subnet is 203.0.113.0/24

2/ You have 3 IP addresses that are live: 203.0.113.1, 203.0.113.2, 203.0.113.3. All other addresses are unused.

3/ now, if 203.0.113.0/24 is reachable from internet, and someone from internet is sending packets destined to 203.0.113.4, .5., 6, ...through to 203.0.113.254, this will trigger these messages IF the volume of such traffic is large enough (>3Kpps).

HTH

Thx

Alex

the so any solution for this situation? I do RE filter protection. when I see these logs, any else effect? thanks so much for a reply

Hello,

RE filter is executed before Trio DDOS protection and cannot affect resolve requests which are internal-to-the-router.

You need to tighten the resolve policer to much lower value (default 3Kpps with 5Kpackets burst)

show ddos-protection protocols parameters brief | grep resolv 
resolve     aggregate   5000      10000  --       300       yes      --     no 
resolve     other       2000      2000   Low      300       yes      no     no 
resolve     ucast-v4    3000      5000   Low      300       yes      no     no 
resolve     mcast-v4    3000      5000   Low      300       yes      no     no 
resolve     ucast-v6    3000      5000   Low      300       yes      no     no 
resolve     mcast-v6    3000      5000   Low      300       yes      no     no 

I suggest You reconfigure the resolve-ucast-v4 policer to 100 pps as a 1st step towards resolution:

set system ddos-protection protocols resolve ucast-v4 bandwidth 100 
set system ddos-protection protocols resolve ucast-v4 burst 100 

---

@xinhui jiang wrote:

when I see these logs, any else effect? 

---

Well, You just experienced the effect - "unable to log in via SSH" because Your RE was too busy.

And likely Your routing protocols went down as well.

HTH

Thx

Alex

I do not see routing protocols went down. by the way, when I see the logs, these packets will send from FPC PFE to RE, right?

Hello there,

---

@xinhui jiang wrote:

I do not see routing protocols went down. by the way,

 Ok, good to know.

---

@xinhui jiang wrote:

, when I see the logs, these packets will send from FPC PFE to RE, right?

---

 The resolve:ucast-v4 are requests internally generated by FPC CPU and sent to RE so that RE can then send an ARP request out.

 HTH

Thx
Alex