This article focuses on one type of message shown in the /var/log/message (show log message) and interpretation for the same. This type of message is generated by the DDoS protection feature, which is supported on MX Series routers that have only MPCs installed, or T4000 routers that have only FPC5s installed.
The customer might see a message similar to below when DDoS is enabled for MPC/Type-5 FPCs.
Nov 10 13:11:28.436 Router-RE0 jddosd[2400]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 4 for 21 times, started at 2013-06-14 10:03:06 GST, last seen at 2013-06-14 10:03:06 GST Nov 10 13:11:29.435 Router-RE0 jddosd[2400]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 3 for 13 times, started at 2013-06-14 10:03:06 GST, last seen at 2013-06-14 10:03:06 GST
Before concluding that the router is being attacked by someone, check to see if there were additional logs shown on the show log messages just before the DDoS messages.
For example:
RSVP goes down
Nov 10 13:11:26.096 Router-RE0 rpd[2377]: RPD_RSVP_BYPASS_DOWN: RSVP bypass Bypass->10.63.1.90->10.63.243.66 for protecting interface ae2.0 went down, reason: RSVP session down Nov 10 13:11:26.115 Router-RE0 rpd[2377]: RPD_RSVP_BYPASS_DOWN: RSVP bypass Bypass->10.63.240.14 for protecting interface xe-3/0/6.0 went down, reason: RSVP session down Nov 10 13:11:26.281 Router-RE0 rpd[2377]: RPD_RSVP_BYPASS_DOWN: RSVP bypass Bypass->10.63.240.74 for protecting interface xe-3/0/7.0 went down, reason: RSVP session down
BFD goes down; hence the IGP will also go down.
Nov 10 13:11:28.118 Router-RE0 bfdd[2326]: BFDD_TRAP_SHOP_STATE_DOWN: local discriminator: 29, new state: down, interface: xe-4/1/6.0, peer addr: 10.63.240.38 Nov 10 13:11:28.118 Router-RE0 bfdd[2326]: BFDD_TRAP_SHOP_STATE_DOWN: local discriminator: 27, new state: down, interface: xe-4/0/7.0, peer addr: 10.63.240.26
DDOS messages show up
Nov 10 13:11:28.436 Router-RE0 jddosd[2400]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 4 for 21 times, started at 2013-06-14 10:03:06 GST, last seen at 2013-06-14 10:03:06 GST Nov 10 13:11:29.435 Router-RE0 jddosd[2400]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 3 for 13 times, started at 2013-06-14 10:03:06 GST, last seen at 2013-06-14 10:03:06 GST
Upon analysis of the above logs, we can confirm that the DDoS violation messages are a consequence of BFD/OSPF adj. flaps. Since there is no route for the transit traffic, DDoS reject packets are incrementing. This is because by default, on Juniper routers, if there is no route for a particular destination, the PFE is programmed as “Reject” which means the traffic will be sent towards the Routing Engine for further processing.
To reduce the reject traffic, the customer must configure a default discard route or configure a default gateway for both IPv4 and IPv6 if it is missing from the router.