Config Router

  • Google Sheets
  • CCNA Online training
    • CCNA
  • CISCO Lab Guides
    • CCNA Security Lab Manual With Solutions
    • CCNP Route Lab Manual with Solutions
    • CCNP Switch Lab Manual with Solutions
  • Juniper
  • Linux
  • DevOps Tutorials
  • Python Array
You are here: Home / Juniper / Interpretation of DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated message

Interpretation of DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated message

May 16, 2016 by Marques Brownlee

This article focuses on one type of message shown in the /var/log/message (show log message) and interpretation for the same. This type of message is generated by the DDoS protection feature, which is supported on MX Series routers that have only MPCs installed, or T4000 routers that have only FPC5s installed.

The customer might see a message similar to below when DDoS is enabled for MPC/Type-5 FPCs.

Nov 10 13:11:28.436 Router-RE0 jddosd[2400]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 4 for 21 times, started at 2013-06-14 10:03:06 GST, last seen at 2013-06-14 10:03:06 GST
Nov 10 13:11:29.435 Router-RE0 jddosd[2400]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 3 for 13 times, started at 2013-06-14 10:03:06 GST, last seen at 2013-06-14 10:03:06 GST

Before concluding that the router is being attacked by someone, check to see if there were additional logs shown on the show log messages just before the DDoS messages.

For example:

RSVP goes down

Nov 10 13:11:26.096 Router-RE0 rpd[2377]: RPD_RSVP_BYPASS_DOWN: RSVP bypass Bypass->10.63.1.90->10.63.243.66 for protecting interface ae2.0 went down, reason: RSVP session down
Nov 10 13:11:26.115 Router-RE0 rpd[2377]: RPD_RSVP_BYPASS_DOWN: RSVP bypass Bypass->10.63.240.14 for protecting interface xe-3/0/6.0 went down, reason: RSVP session down
Nov 10 13:11:26.281 Router-RE0 rpd[2377]: RPD_RSVP_BYPASS_DOWN: RSVP bypass Bypass->10.63.240.74 for protecting interface xe-3/0/7.0 went down, reason: RSVP session down

BFD goes down; hence the IGP will also go down.

Nov 10 13:11:28.118 Router-RE0 bfdd[2326]: BFDD_TRAP_SHOP_STATE_DOWN: local discriminator: 29, new state: down, interface: xe-4/1/6.0, peer addr: 10.63.240.38
Nov 10 13:11:28.118 Router-RE0 bfdd[2326]: BFDD_TRAP_SHOP_STATE_DOWN: local discriminator: 27, new state: down, interface: xe-4/0/7.0, peer addr: 10.63.240.26

DDOS messages show up

Nov 10 13:11:28.436 Router-RE0 jddosd[2400]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 4 for 21 times, started at 2013-06-14 10:03:06 GST, last seen at 2013-06-14 10:03:06 GST
Nov 10 13:11:29.435 Router-RE0 jddosd[2400]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 3 for 13 times, started at 2013-06-14 10:03:06 GST, last seen at 2013-06-14 10:03:06 GST

Upon analysis of the above logs, we can confirm that the DDoS violation messages are a consequence of BFD/OSPF adj. flaps. Since there is no route for the transit traffic, DDoS reject packets are incrementing. This is because by default, on Juniper routers, if there is no route for a particular destination, the PFE is programmed as “Reject” which means the traffic will be sent towards the Routing Engine for further processing.

To reduce the reject traffic, the customer must configure a default discard route or configure a default gateway for both IPv4 and IPv6 if it is missing from the router.

Related

Filed Under: Juniper Tagged With: BFD, DDoS, DDoS violation, DDOS_PROTOCOL_VIOLATION_SET, OSPF, PFE

Copyright © 2023 · News Pro Theme on Genesis Framework · WordPress · Log in