This message was posted by a user wishing to remain anonymous
"The best practice is to apply a filter to your lo0 loopback interface and manually control which control plane traffic is allowed inbound. "--This is extremely important and accurate @jsullivan.
Original Message:
Sent: 12-20-2024 13:27
From: jsullivan
Subject: DDOS_PROTOCOL_VIOLATION
IPMC is for IP Multicast traffic. Something is bombarding your EX with multicast traffic. Possibly another networking device trying to establish an OSPF neighborship over 224.0.0.5 as a potential example.
Do you have any IRBs configured? To drill down further, try taking a pcap of all hostbound multicast traffic. Then pull the file from the EX, analyze in Wireshark, and see what jumps out. The command below should do it. Then use a file transfer application like Filezilla to pull the <filename> down from the /var/tmp folder
monitor traffic interface irb no-resolve size 1500 matching "net 224.0.0.0/4" layer2-headers write-file /var/tmp/<filename>.pcap
Analyzing culprit flows is another good one, but I know that it's only supported on certain models.
The best practice is to apply a filter to your lo0 loopback interface and manually control which control plane traffic is allowed inbound.
Original Message:
Sent: 12-20-2024 03:45
From: ESAA
Subject: DDOS_PROTOCOL_VIOLATION
Hi,
I am observing a high number of error messages in one of our EX4600 switches. Here's an example of the message:
Dec 19 06:01:40 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 1041 times, from 2024-12-19 04:20:41 CET to 2024-12-19 05:56:39 CETDec 19 06:04:00 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 0 for 1042 times, started at 2024-12-19 06:04:00 CETDec 19 08:03:51 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 699 times, from 2024-12-19 05:25:17 CET to 2024-12-19 07:58:50 CETDec 19 08:04:56 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 1 for 700 times, started at 2024-12-19 08:04:56 CETDec 19 08:44:21 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 700 times, from 2024-12-19 08:04:56 CET to 2024-12-19 08:39:20 CETDec 19 08:45:27 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 1 for 701 times, started at 2024-12-19 08:45:26 CETDec 19 08:56:32 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 701 times, from 2024-12-19 08:45:26 CET to 2024-12-19 08:51:31 CETDec 19 08:57:37 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 1 for 702 times, started at 2024-12-19 08:57:37 CETDec 19 13:30:32 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 702 times, from 2024-12-19 08:57:37 CET to 2024-12-19 13:25:31 CETDec 19 13:31:27 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 1 for 703 times, started at 2024-12-19 13:31:26 CETDec 19 13:36:27 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 703 times, from 2024-12-19 13:31:26 CET to 2024-12-19 13:31:26 CETDec 19 13:37:07 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 1 for 704 times, started at 2024-12-19 13:37:07 CETDec 20 02:31:02 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 704 times, from 2024-12-19 13:37:07 CET to 2024-12-20 02:26:01 CETDec 20 02:31:53 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 1042 times, from 2024-12-19 06:04:00 CET to 2024-12-20 02:26:52 CETDec 20 03:18:51 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 0 for 1043 times, started at 2024-12-20 03:18:50 CETDec 20 04:35:01 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 1043 times, from 2024-12-20 03:18:50 CET to 2024-12-20 04:29:59 CETDec 20 04:39:41 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 0 for 1044 times, started at 2024-12-20 04:39:40 CETDec 20 04:44:42 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 1044 times, from 2024-12-20 04:39:40 CET to 2024-12-20 04:39:40 CETDec 20 04:50:22 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 0 for 1045 times, started at 2024-12-20 04:50:22 CETDec 20 05:24:32 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 1 for 705 times, started at 2024-12-20 05:24:31 CETDec 20 05:29:32 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 705 times, from 2024-12-20 05:24:31 CET to 2024-12-20 05:24:31 CETDec 20 05:32:13 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 1 for 706 times, started at 2024-12-20 05:32:12 CETDec 20 05:37:13 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 706 times, from 2024-12-20 05:32:12 CET to 2024-12-20 05:32:12 CETDec 20 05:42:44 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 1 for 707 times, started at 2024-12-20 05:42:43 CETDec 20 05:47:44 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 707 times, from 2024-12-20 05:42:43 CET to 2024-12-20 05:42:43 CETDec 20 05:48:19 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 1 for 708 times, started at 2024-12-20 05:48:19 CETDec 20 05:53:20 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 708 times, from 2024-12-20 05:48:19 CET to 2024-12-20 05:48:19 CETDec 20 05:54:00 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 1 for 709 times, started at 2024-12-20 05:54:00 CETDec 20 06:01:22 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 709 times, from 2024-12-20 05:54:00 CET to 2024-12-20 05:56:20 CETDec 20 06:01:46 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 1045 times, from 2024-12-20 04:50:22 CET to 2024-12-20 05:56:45 CETDec 20 06:02:06 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 1 for 710 times, started at 2024-12-20 06:02:06 CETDec 20 06:18:43 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 0 for 1046 times, started at 2024-12-20 06:18:43 CETDec 20 06:23:44 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 1046 times, from 2024-12-20 06:18:43 CET to 2024-12-20 06:18:43 CETDec 20 06:26:34 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 0 for 1047 times, started at 2024-12-20 06:26:34 CETDec 20 08:20:27 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 1047 times, from 2024-12-20 06:26:34 CET to 2024-12-20 08:15:26 CETDec 20 08:20:27 AN-SW-DCOA01 jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 710 times, from 2024-12-20 06:02:06 CET to 2024-12-20 08:15:26 CET
This is just an observation, and there have been no complaints from customers about packet drops or other issues. However, I can't seem to determine where this traffic is originating from. Can anyone point me in the right direction or suggest additional methods to pinpoint the source of this traffic?
Protocol Packet Received Dropped Rate Violation Stategroup type (packets) (packets) (pps) countsipmc-reserved aggregate 10418707156 5114582999 64 1757 ok
Protocol Packet Bandwidth Burst Priority Recover Policer Bypass FPCgroup type (pps) (pkts) time(sec) enabled aggr. modipmc-reserved aggregate 1500 200 -- 300 yes -- no
------------------------------
ESAA
------------------------------