Config Router

You are here: Home / Juniper / Log messages indicate sampling violation even when sampling is not configured on the router

Log messages indicate sampling violation even when sampling is not configured on the router

by

The following log messages are seen:

test1[1000]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Sample:pfe is violated at fpc 0 for 92 times, started at 2013-09-12 14:36:46 EDT, last seen at 2013-09-12 14:36:46 EDT

even though sampling is not configured on the router.

This is not a DDOS attack, and it does not indicate an error condition.

The following log messages are seen:

test1[1000]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Sample:pfe is violated at fpc 0 for 92 times, started at 2013-09-12 14:36:46 EDT, last seen at 2013-09-12 14:36:46 EDT

even though sampling is not configured on the router.

If then log, then syslog or then sample is configured in a firewall filter, and the rate of logged or sampled packets is above thedistributed denial-of-service (DDoS threshold), then these logs are seen.

This is not a DDOS attack, and it does not indicate an error condition.

The DDOS threshold for this packet type can be raised if desired.
http://www.juniper.net/techpubs/en_US/junos/topics/task/configuration/subscriber-management-ddos-packet.html

This output will show the currently configured thresholds:

show ddos-protection protocols parameters brief | match sample

Here are the column headers and default values:

lab@mx1> show ddos-protection protocols parameters brief      
Packet types: 192, Modified: 0
* = User configured value

Protocol    Packet      Bandwidth Burst  Priority Recover   Policer  Bypass FPC
group       type        (pps)     (pkts)          time(sec) enabled  aggr.  mod
(snip)

lab@Wicket> show ddos-protection protocols parameters brief | match sample 
sample      aggregate   1000      1000   --       300       yes      --     no 
sample      syslog      1000      1000   Medium   300       yes       no    no 
sample      host        1000      1000   Medium   300       yes       no    no 
sample      pfe         1000      1000   Medium   300       yes       no    no 
sample      tap         1000      1000   Medium   300       yes       no    no

This output has more detailed output:

lab@BigHunk-re0> show ddos-protection protocols sample ?
Possible completions:
  <[Enter]>            Execute this command
  |                    Pipe through a command
  parameters           Show Sample protocol parameters
  statistics           Show Sample statistics and states
  violations           Show Sample traffic violations
  aggregate            Show aggregate for all sampled traffic information
  syslog               Show Syslog sample traffic information
  host                 Show Host sample traffic information
  pfe                  Show PFE sample traffic information
  tap                  Show Tap sample traffic information

lab@BigHunk-re0> show ddos-protection protocols sample pfe 
Protocol Group: Sample

  Packet type: pfe (PFE sample traffic)
    Individual policer configuration:
      Bandwidth:        10000 pps
      Burst:            10000 packets
      Priority:         medium
      Recover time:     300 seconds
      Enabled:          Yes
      Bypass aggregate: No
    System-wide information:
      Bandwidth is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
    Routing Engine information:
      Bandwidth: 10000 pps, Burst: 10000 packets, enabled
      Policer is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
        Dropped by aggregate policer: 0