Routing

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  DDOS violation logs on Router reboot

    Posted 18 days ago
    I have come across a case in which MX480 router running on JUNOS 17.3R3 froze for 2 hours until it was rebooted and the backup router started generating DDOS_SCFD_FLOW_FOUND logs continuously, When the device came up after reboot even it started generating same DDOS_SCFD_FLOW_FOUND logs. 
    Though they later cleared as well with the log DDOS_SCFD_FLOW_RETURN_NORMAL and DDOS_PROTOCOL_VIOLATION_CLEAR.
    the DDOS protection in the configuration is for 1000.

    ddos-protection {
    global {
    flow-detection;
    }
    protocols {
    reject {
    aggregate {
    bandwidth 1000;
    }
    }
    }


    ------------------------------
    Nitz
    ------------------------------


  • 2.  RE: DDOS violation logs on Router reboot

    Posted 16 days ago
    How do you know that its a ddos flow detection for the «reject» pseudoprotocol ?
    If it's really reject, how comes that you use reject instead of discard in your filters, any special need?

    ------------------------------
    Olivier Benghozi
    ------------------------------



  • 3.  RE: DDOS violation logs on Router reboot

    Posted 16 days ago
    Hi Oliver,
    I have this log corresponding to it:
    DDOS_SCFD_FLOW_FOUND: A new flow of protocol Reject:aggregate on <interface> with sourc addr <IP>  is found at <DATE> <TIME>

    ------------------------------
    Nits
    ------------------------------



  • 4.  RE: DDOS violation logs on Router reboot

    Posted 16 days ago
    Maybe you have some fw filter using «reject» action in your config ?

    > show configuration firewall | display set | match reject

    Then you may replace «reject» by «discard» and get rid of this mess.

    ------------------------------
    Olivier Benghozi
    ------------------------------



  • 5.  RE: DDOS violation logs on Router reboot

    Posted 16 days ago
    Hello Oliver,

    We only encountered these logs when one router was down , it appeared on other device and when the first device came up it only appeared for 2 minutes. Is it possible this flow was generated since the traffic diverted to second device during downtime and it was above it's threshold limit?

    ------------------------------
    NITIKA THAKUR
    ------------------------------



  • 6.  RE: DDOS violation logs on Router reboot

    Posted 16 days ago
    By the way, maybe you have some static routes toward reject and/or generate/aggregate toward reject.
    They should be toward discard instead.

    But that's true that when a router goes down, another one can be in situation of dropping/rejecting the traffic ; the right way is to drop it (discard) instead of rejecting it (generating one ICMP for each dropped packet).
    You might see some «ddos» messages talking about ttl expired in such situation (by example) because of exceeded thresholds, but reject is something you probably don't want to have.

    ------------------------------
    Olivier Benghozi
    ------------------------------



  • 7.  RE: DDOS violation logs on Router reboot

    Posted 16 days ago
    Thanks Oliver. This will be helpful.

    ------------------------------
    Nitz
    ------------------------------