DDOS_PROTOCOL_VIOLATION_SET warning
All of a sudden things may start go wrong in your juniper switches and when you examine the logs you see the followings;
jddosd[1885]:DDOS_PROTOCOL_VIOLATION_SET:Warning:Host-bound traffic for protocol/exception ARP:aggregate exceeded its allowed bandwidth at fpc 0 for 8 times
jddosd[1885]:DDOS_PROTOCOL_VIOLATION_SET:Warning:Host-bound traffic for protocol/exception IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 0 for 1 times
jddosd[1885]:DDOS_PROTOCOL_VIOLATION_SET:Warning:Host-bound traffic for protocol/exception Firewall-Host:aggregate exceeded its allowed bandwidth at fpc 0 for 30 times
jddosd[1885]:DDOS_PROTOCOL_VIOLATION_SET:Warning:Host-bound traffic for protocol/exception NDPv6:aggregate exceeded its allowed bandwidth at fpc 0 for 4 times
jddosd[1885]:DDOS_PROTOCOL_VIOLATION_SET:Warning:Host-bound traffic for protocol/exception IGMP:aggregate exceeded its allowed bandwidth at fpc 0 for 4 times
jddosd[1885]:DDOS_PROTOCOL_VIOLATION_SET:Warning:Host-bound traffic for protocol/exception DHCPv4v6:aggregate exceeded its allowed bandwidth at fpc 0 for 1 timesWhat would you do? This is a bit of a challenging issue but in most of the cases I have experienced a loop or extreme traffic. To get a bit of more information you can take a look into the following arp ddos counters. If you dig down a little bit you see that you maxed almost a million pps which is quite extreme. These logs counters are just symptoms and trying to tell us that something is way off in our network. In this particular case, there was a loop which I needed to find the source by following the method I explained at https://rtodto.net/layer-2-loop-troubleshoothing/. Monitor interface traffic command is quite useful in spotting these sort of loop source particularly the input counter. Output counters in the output is misleading because wherever the packets are entering are being flooded to many ports.
Let me know if you had such an issue and how you resolved it!
root> show ddos-protection protocols arp
Packet types: 1, Modified: 0, Received traffic: 1, Currently violated: 0
Currently tracked flows: 0, Total detected flows: 0
* = User configured value
Protocol Group: ARP
Packet type: aggregate (Aggregate for all arp traffic)
Aggregate policer configuration:
Bandwidth: 500 pps
Burst: 200 packets
Recover time: 300 seconds
Enabled: Yes
Flow detection configuration:
Detection mode: Automatic Detect time: 0 seconds
Log flows: Yes Recover time: 0 seconds
Timeout flows: No Timeout time: 0 seconds
Flow aggregation level configuration:
Aggregation level Detection mode Control mode Flow rate
Subscriber Automatic Drop 0 pps
Logical interface Automatic Drop 0 pps
Physical interface Automatic Drop 500 pps
System-wide information:
Aggregate bandwidth is no longer being violated
No. of FPCs that have received excess traffic: 1
Last violation started at: 2022-05-01 15:51:45 CEST
Last violation ended at: 2022-05-01 16:57:06 CEST
Duration of last violation: 01:05:21 Number of violations: 8
Received: 474519764 Arrival rate: 7 pps
Dropped: 179518380 Max arrival rate: 991806 pps
Routing Engine information:
Bandwidth: 500 pps, Burst: 200 packets, enabled
Aggregate policer is never violated
Received: 0 Arrival rate: 0 pps
Dropped: 0 Max arrival rate: 0 pps
Dropped by individual policers: 0
FPC slot 0 information:
Bandwidth: 100% (500 pps), Burst: 100% (200 packets), enabled
Aggregate policer is no longer being violated
Last violation started at: 2022-05-01 15:51:45 CEST <--
Last violation ended at: 2022-05-01 16:57:06 CEST <--
Duration of last violation: 01:05:21 Number of violations: 8
Received: 474519764 Arrival rate: 7 pps
Dropped: 179518380 Max arrival rate: 991806 pps <--
Dropped by individual policers: 0
Dropped by aggregate policer: 179518380
Dropped by flow suppression: 0
Flow counts:
Aggregation level Current Total detected State
Subscriber 0 0 Active