DDOS_PROTOCOL_VIOLATION_SET warning

All of a sudden things may start go wrong in your juniper switches and when you examine the logs you see the followings;

jddosd[1885]:DDOS_PROTOCOL_VIOLATION_SET:Warning:Host-bound traffic for protocol/exception ARP:aggregate exceeded its allowed bandwidth at fpc 0 for 8 times
jddosd[1885]:DDOS_PROTOCOL_VIOLATION_SET:Warning:Host-bound traffic for protocol/exception IPMC-reserved:aggregate exceeded its allowed bandwidth at fpc 0 for 1 times
jddosd[1885]:DDOS_PROTOCOL_VIOLATION_SET:Warning:Host-bound traffic for protocol/exception Firewall-Host:aggregate exceeded its allowed bandwidth at fpc 0 for 30 times
jddosd[1885]:DDOS_PROTOCOL_VIOLATION_SET:Warning:Host-bound traffic for protocol/exception NDPv6:aggregate exceeded its allowed bandwidth at fpc 0 for 4 times
jddosd[1885]:DDOS_PROTOCOL_VIOLATION_SET:Warning:Host-bound traffic for protocol/exception IGMP:aggregate exceeded its allowed bandwidth at fpc 0 for 4 times
jddosd[1885]:DDOS_PROTOCOL_VIOLATION_SET:Warning:Host-bound traffic for protocol/exception DHCPv4v6:aggregate exceeded its allowed bandwidth at fpc 0 for 1 times

What would you do? This is a bit of a challenging issue but in most of the cases I have experienced a loop or extreme traffic. To get a bit of more information you can take a look into the following arp ddos counters. If you dig down a little bit you see that you maxed almost a million pps which is quite extreme. These logs counters are just symptoms and trying to tell us that something is way off in our network. In this particular case, there was a loop which I needed to find the source by following the method I explained at https://rtodto.net/layer-2-loop-troubleshoothing/. Monitor interface traffic command is quite useful in spotting these sort of loop source particularly the input counter. Output counters in the output is misleading because wherever the packets are entering are being flooded to many ports.

Let me know if you had such an issue and how you resolved it!

root> show ddos-protection protocols arp  
Packet types: 1, Modified: 0, Received traffic: 1, Currently violated: 0
Currently tracked flows: 0, Total detected flows: 0
* = User configured value

Protocol Group: ARP

  Packet type: aggregate (Aggregate for all arp traffic)
    Aggregate policer configuration:
      Bandwidth:        500 pps
      Burst:            200 packets
      Recover time:     300 seconds
      Enabled:          Yes
    Flow detection configuration:
      Detection mode: Automatic  Detect time:  0 seconds
      Log flows:      Yes        Recover time: 0 seconds
      Timeout flows:  No         Timeout time: 0 seconds
      Flow aggregation level configuration:
        Aggregation level   Detection mode  Control mode  Flow rate
        Subscriber          Automatic       Drop          0  pps
        Logical interface   Automatic       Drop          0  pps
        Physical interface  Automatic       Drop          500 pps
    System-wide information:
      Aggregate bandwidth is no longer being violated
        No. of FPCs that have received excess traffic: 1
        Last violation started at: 2022-05-01 15:51:45 CEST
        Last violation ended at:   2022-05-01 16:57:06 CEST
        Duration of last violation: 01:05:21 Number of violations: 8
      Received:  474519764          Arrival rate:     7 pps
      Dropped:   179518380          Max arrival rate: 991806 pps
    Routing Engine information:
      Bandwidth: 500 pps, Burst: 200 packets, enabled
      Aggregate policer is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
        Dropped by individual policers: 0
    FPC slot 0 information:
      Bandwidth: 100% (500 pps), Burst: 100% (200 packets), enabled
      Aggregate policer is no longer being violated
        Last violation started at: 2022-05-01 15:51:45 CEST <--
        Last violation ended at:   2022-05-01 16:57:06 CEST <--
        Duration of last violation: 01:05:21 Number of violations: 8
      Received:  474519764          Arrival rate:     7 pps
      Dropped:   179518380          Max arrival rate: 991806 pps <--
        Dropped by individual policers: 0
        Dropped by aggregate policer:   179518380
        Dropped by flow suppression:    0
      Flow counts:
        Aggregation level     Current       Total detected   State
        Subscriber            0             0                Active

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading