By the way, maybe you have some static routes toward reject and/or generate/aggregate toward reject.
They should be toward discard instead.
But that's true that when a router goes down, another one can be in situation of dropping/rejecting the traffic ; the right way is to drop it (discard) instead of rejecting it (generating one ICMP for each dropped packet).
You might see some «ddos» messages talking about ttl expired in such situation (by example) because of exceeded thresholds, but reject is something you probably don't want to have.
------------------------------
Olivier Benghozi
------------------------------
Original Message:
Sent: 07-28-2022 12:52
From: NITIKA THAKUR
Subject: DDOS violation logs on Router reboot
Hello Oliver,
We only encountered these logs when one router was down , it appeared on other device and when the first device came up it only appeared for 2 minutes. Is it possible this flow was generated since the traffic diverted to second device during downtime and it was above it's threshold limit?
------------------------------
NITIKA THAKUR
Original Message:
Sent: 07-28-2022 12:02
From: NITIKA THAKUR
Subject: DDOS violation logs on Router reboot
Hi Oliver,
I have this log corresponding to it:
DDOS_SCFD_FLOW_FOUND: A new flow of protocol Reject:aggregate on <interface> with sourc addr <IP> is found at <DATE> <TIME>
------------------------------
Nits
Original Message:
Sent: 07-28-2022 11:02
From: Olivier Benghozi
Subject: DDOS violation logs on Router reboot
How do you know that its a ddos flow detection for the «reject» pseudoprotocol ?
If it's really reject, how comes that you use reject instead of discard in your filters, any special need?
------------------------------
Olivier Benghozi
Original Message:
Sent: 07-26-2022 17:07
From: NITIKA THAKUR
Subject: DDOS violation logs on Router reboot
I have come across a case in which MX480 router running on JUNOS 17.3R3 froze for 2 hours until it was rebooted and the backup router started generating DDOS_SCFD_FLOW_FOUND logs continuously, When the device came up after reboot even it started generating same DDOS_SCFD_FLOW_FOUND logs.
Though they later cleared as well with the log DDOS_SCFD_FLOW_RETURN_NORMAL and DDOS_PROTOCOL_VIOLATION_CLEAR.
the DDOS protection in the configuration is for 1000.
ddos-protection {
global {
flow-detection;
}
protocols {
reject {
aggregate {
bandwidth 1000;
}
}
}
------------------------------
NITIKA THAKUR
------------------------------