Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  DDOS violation logs on Router reboot

    Posted 07-26-2022 17:08
    Edited by Nitz 07-28-2022 12:03
    I have come across a case in which MX480 router running on JUNOS 17.3R3 froze for 2 hours until it was rebooted and the backup router started generating DDOS_SCFD_FLOW_FOUND logs continuously, When the device came up after reboot even it started generating same DDOS_SCFD_FLOW_FOUND logs. 
    Though they later cleared as well with the log DDOS_SCFD_FLOW_RETURN_NORMAL and DDOS_PROTOCOL_VIOLATION_CLEAR.
    the DDOS protection in the configuration is for 1000.

    ddos-protection {
    global {
    flow-detection;
    }
    protocols {
    reject {
    aggregate {
    bandwidth 1000;
    }
    }
    }


    ------------------------------
    Nitz
    ------------------------------


  • 2.  RE: DDOS violation logs on Router reboot

    Posted 07-28-2022 11:03
    How do you know that its a ddos flow detection for the «reject» pseudoprotocol ?
    If it's really reject, how comes that you use reject instead of discard in your filters, any special need?

    ------------------------------
    Olivier Benghozi
    ------------------------------



  • 3.  RE: DDOS violation logs on Router reboot

    Posted 07-28-2022 12:03
    Edited by Nitz 07-28-2022 12:03
    Hi Oliver,
    I have this log corresponding to it:
    DDOS_SCFD_FLOW_FOUND: A new flow of protocol Reject:aggregate on <interface> with sourc addr <IP>  is found at <DATE> <TIME>

    ------------------------------
    Nits
    ------------------------------



  • 4.  RE: DDOS violation logs on Router reboot

    Posted 07-28-2022 12:48
    Maybe you have some fw filter using «reject» action in your config ?

    > show configuration firewall | display set | match reject

    Then you may replace «reject» by «discard» and get rid of this mess.

    ------------------------------
    Olivier Benghozi
    ------------------------------



  • 5.  RE: DDOS violation logs on Router reboot

    Posted 07-28-2022 12:53
    Hello Oliver,

    We only encountered these logs when one router was down , it appeared on other device and when the first device came up it only appeared for 2 minutes. Is it possible this flow was generated since the traffic diverted to second device during downtime and it was above it's threshold limit?

    ------------------------------
    NITIKA THAKUR
    ------------------------------



  • 6.  RE: DDOS violation logs on Router reboot

    Posted 07-28-2022 13:19
    By the way, maybe you have some static routes toward reject and/or generate/aggregate toward reject.
    They should be toward discard instead.

    But that's true that when a router goes down, another one can be in situation of dropping/rejecting the traffic ; the right way is to drop it (discard) instead of rejecting it (generating one ICMP for each dropped packet).
    You might see some «ddos» messages talking about ttl expired in such situation (by example) because of exceeded thresholds, but reject is something you probably don't want to have.

    ------------------------------
    Olivier Benghozi
    ------------------------------



  • 7.  RE: DDOS violation logs on Router reboot

    Posted 07-28-2022 13:30
    Thanks Oliver. This will be helpful.

    ------------------------------
    Nitz
    ------------------------------