Interpretation of DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated message

This article focuses on one type of message shown in the /var/log/message (show log message) and interpretation for the same. This type of message is generated by the DDoS protection feature, which is supported on MX Series routers that have only MPCs installed, or T4000 routers that have only FPC5s installed.

The customer might see a message similar to below when DDoS is enabled for MPC/Type-5 FPCs.

Before concluding that the router is being attacked by someone, check to see if there were additional logs shown on the show log messages just before the DDoS messages.

For example:

RSVP goes down

BFD goes down; hence the IGP will also go down.

DDOS messages show up

Upon analysis of the above logs, we can confirm that the DDoS violation messages are a consequence of BFD/OSPF adj. flaps. Since there is no route for the transit traffic, DDoS reject packets are incrementing. This is because by default, on Juniper routers, if there is no route for a particular destination, the PFE is programmed as “Reject” which means the traffic will be sent towards the Routing Engine for further processing.

To reduce the reject traffic, the customer must configure a default discard route or configure a default gateway for both IPv4 and IPv6 if it is missing from the router.

About the author

Prasanna

Leave a Comment