Junos OS

 View Only
last person joined: 23 hours ago 

Ask questions and share experiences about Junos OS.
  • 1.  DDOS_PROTOCOL_VIOLATION

    Posted 12-20-2024 03:45
    Edited by ESAA 19 days ago

    Hi, 

    I am observing a high number of error messages in one of our EX4600 switches. Here's an example of the message:

    Dec 19 06:01:40  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 1041 times, from 2024-12-19 04:20:41 CET to 2024-12-19 05:56:39 CET
    Dec 19 06:04:00  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 0 for 1042 times, started at 2024-12-19 06:04:00 CET
    Dec 19 08:03:51  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 699 times, from 2024-12-19 05:25:17 CET to 2024-12-19 07:58:50 CET
    Dec 19 08:04:56  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 1 for 700 times, started at 2024-12-19 08:04:56 CET
    Dec 19 08:44:21  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 700 times, from 2024-12-19 08:04:56 CET to 2024-12-19 08:39:20 CET
    Dec 19 08:45:27  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 1 for 701 times, started at 2024-12-19 08:45:26 CET
    Dec 19 08:56:32  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 701 times, from 2024-12-19 08:45:26 CET to 2024-12-19 08:51:31 CET
    Dec 19 08:57:37  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 1 for 702 times, started at 2024-12-19 08:57:37 CET
    Dec 19 13:30:32  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 702 times, from 2024-12-19 08:57:37 CET to 2024-12-19 13:25:31 CET
    Dec 19 13:31:27  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 1 for 703 times, started at 2024-12-19 13:31:26 CET
    Dec 19 13:36:27  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 703 times, from 2024-12-19 13:31:26 CET to 2024-12-19 13:31:26 CET
    Dec 19 13:37:07  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 1 for 704 times, started at 2024-12-19 13:37:07 CET
    Dec 20 02:31:02  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 704 times, from 2024-12-19 13:37:07 CET to 2024-12-20 02:26:01 CET
    Dec 20 02:31:53  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 1042 times, from 2024-12-19 06:04:00 CET to 2024-12-20 02:26:52 CET
    Dec 20 03:18:51  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 0 for 1043 times, started at 2024-12-20 03:18:50 CET
    Dec 20 04:35:01  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 1043 times, from 2024-12-20 03:18:50 CET to 2024-12-20 04:29:59 CET
    Dec 20 04:39:41  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 0 for 1044 times, started at 2024-12-20 04:39:40 CET
    Dec 20 04:44:42  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 1044 times, from 2024-12-20 04:39:40 CET to 2024-12-20 04:39:40 CET
    Dec 20 04:50:22  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 0 for 1045 times, started at 2024-12-20 04:50:22 CET
    Dec 20 05:24:32  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 1 for 705 times, started at 2024-12-20 05:24:31 CET
    Dec 20 05:29:32  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 705 times, from 2024-12-20 05:24:31 CET to 2024-12-20 05:24:31 CET
    Dec 20 05:32:13  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 1 for 706 times, started at 2024-12-20 05:32:12 CET
    Dec 20 05:37:13  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 706 times, from 2024-12-20 05:32:12 CET to 2024-12-20 05:32:12 CET
    Dec 20 05:42:44  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 1 for 707 times, started at 2024-12-20 05:42:43 CET
    Dec 20 05:47:44  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 707 times, from 2024-12-20 05:42:43 CET to 2024-12-20 05:42:43 CET
    Dec 20 05:48:19  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 1 for 708 times, started at 2024-12-20 05:48:19 CET
    Dec 20 05:53:20  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 708 times, from 2024-12-20 05:48:19 CET to 2024-12-20 05:48:19 CET
    Dec 20 05:54:00  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 1 for 709 times, started at 2024-12-20 05:54:00 CET
    Dec 20 06:01:22  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 709 times, from 2024-12-20 05:54:00 CET to 2024-12-20 05:56:20 CET
    Dec 20 06:01:46  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 1045 times, from 2024-12-20 04:50:22 CET to 2024-12-20 05:56:45 CET
    Dec 20 06:02:06  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 1 for 710 times, started at 2024-12-20 06:02:06 CET
    Dec 20 06:18:43  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 0 for 1046 times, started at 2024-12-20 06:18:43 CET
    Dec 20 06:23:44  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 1046 times, from 2024-12-20 06:18:43 CET to 2024-12-20 06:18:43 CET
    Dec 20 06:26:34  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 0 for 1047 times, started at 2024-12-20 06:26:34 CET
    Dec 20 08:20:27  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 1047 times, from 2024-12-20 06:26:34 CET to 2024-12-20 08:15:26 CET
    Dec 20 08:20:27  AN-SW-SW jddosd[2199]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception IPMC-reserved:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 710 times, from 2024-12-20 06:02:06 CET to 2024-12-20 08:15:26 CET

    This is just an observation, and there have been no complaints from customers about packet drops or other issues. However, I can't seem to determine where this traffic is originating from. Can anyone point me in the right direction or suggest additional methods to pinpoint the source of this traffic?

    Protocol    Packet      Received        Dropped        Rate     Violation State
    group       type        (packets)       (packets)      (pps)    counts
    ipmc-reserved aggregate 10418707156     5114582999     64       1757      ok

    Protocol    Packet      Bandwidth Burst  Priority Recover   Policer  Bypass FPC
    group       type        (pps)     (pkts)          time(sec) enabled  aggr.  mod
    ipmc-reserved aggregate 1500      200    --       300       yes      --     no



    ------------------------------
    ESAA
    ------------------------------



  • 2.  RE: DDOS_PROTOCOL_VIOLATION

    This message was posted by a user wishing to remain anonymous
    Posted 12-20-2024 07:58
    This message was posted by a user wishing to remain anonymous

    It looks like it's happening on both fpc0 and fpc1. 

    Here is a culprit flow command reference to see where it's coming from.

    show ddos-protection protocols culprit-flows | Junos OS | Juniper Networks




  • 3.  RE: DDOS_PROTOCOL_VIOLATION

    Posted 12-20-2024 13:27
    Edited by jsullivan 12-20-2024 13:37

    IPMC is for IP Multicast traffic.  Something is bombarding your EX with multicast traffic.  Possibly another networking device trying to establish an OSPF neighborship over 224.0.0.5 as a potential example.

    Do you have any IRBs configured?  To drill down further,  try taking a pcap of all hostbound multicast traffic.  Then pull the file from the EX, analyze in Wireshark, and see what jumps out.  The command below should do it.  Then use a file transfer application like Filezilla to pull the <filename> down from the /var/tmp folder

    monitor traffic interface irb no-resolve size 1500 matching "net 224.0.0.0/4" layer2-headers write-file /var/tmp/<filename>.pcap

    Analyzing culprit flows is another good one, but I know that it's only supported on certain models.

    The best practice is to apply a filter to your lo0 loopback interface and manually control which control plane traffic is allowed inbound.




  • 4.  RE: DDOS_PROTOCOL_VIOLATION

    This message was posted by a user wishing to remain anonymous
    Posted 12-20-2024 14:15
    This message was posted by a user wishing to remain anonymous

    "The best practice is to apply a filter to your lo0 loopback interface and manually control which control plane traffic is allowed inbound. "--This is extremely important and accurate @jsullivan. 




  • 5.  RE: DDOS_PROTOCOL_VIOLATION

    Posted 18 days ago
    Edited by ESAA 15 days ago

    Hi, thanks for your response!

    I have tried capturing traffic on the active IRB interface and the lo0 interface. However, I am not seeing any multicast traffic. I do, however, observe OSPF Hello messages being sent over the AE interface between two of our core switches. Could this be the issue? We do not use OSPF in our network.

    For context, the following filters are currently applied to my lo0 interface:

    set firewall family inet filter PROTECT-RE interface-specific
    set firewall family inet filter PROTECT-RE term MANAGEMENT from source-prefix-list MANAGEMENT
    set firewall family inet filter PROTECT-RE term MANAGEMENT then accept
    set firewall family inet filter PROTECT-RE term ESTABLISHED from protocol tcp
    set firewall family inet filter PROTECT-RE term ESTABLISHED from tcp-established
    set firewall family inet filter PROTECT-RE term ESTABLISHED then accept
    set firewall family inet filter PROTECT-RE term IGMP from protocol igmp
    set firewall family inet filter PROTECT-RE term IGMP then accept
    set firewall family inet filter PROTECT-RE term DHCP from source-address 0.0.0.0/32
    set firewall family inet filter PROTECT-RE term DHCP from destination-address 255.255.255.255/32
    set firewall family inet filter PROTECT-RE term DHCP from protocol udp
    set firewall family inet filter PROTECT-RE term DHCP from source-port 68
    set firewall family inet filter PROTECT-RE term DHCP from destination-port 67
    set firewall family inet filter PROTECT-RE term DHCP then discard
    set firewall family inet filter PROTECT-RE term END then count DROP
    set firewall family inet filter PROTECT-RE term END then log
    set firewall family inet filter PROTECT-RE term END then discard
    set interfaces lo0 unit 0 family inet filter input PROTECT-RE

    EDIT:

    The prefix list MANAGEMENT contained the address 0.0.0.0/0, which allowed all traffic. I updated the prefix list with the correct subnets, and the issue was resolved. Thank you for your assistance!


    ------------------------------
    ESAA
    ------------------------------