Re: [j-nsp] DDOS_PROTOCOL_VIOLATION on DHCP - and it's not configured?
--- Begin Message --- If you are absolutely certain you are not providing DHCP you could always set the punt rate to 1 and disable logging. Beware, this can be an awfully sharp sword. Ask me how I know! system { ddos-protection { protocols { {$protocol} { aggregate { bandwidth 1; burst 1; flow-level-detection { subscriber off; logical-interface off; } no-flow-logging; -Michael > -Original Message- > From: juniper-nsp On Behalf Of > Mike > Sent: Tuesday, May 5, 2020 1:32 PM > To: juniper-nsp@puck.nether.net > Subject: [j-nsp] DDOS_PROTOCOL_VIOLATION on DHCP - and it's not > configured? > > Hello, > > On my MX240, I occasionally get log messages of this type: > > May 4 20:47:38 jmx240-fmt2 jddosd[3549]: > DDOS_PROTOCOL_VIOLATION_SET: > Warning: Host-bound traffic for protocol/exception DHCPv4:bad-packets > exceeded its allowed bandwidth at fpc 1 for 417 times, started at > 2020-05-04 20:47:37 PDT > May 4 20:52:55 jmx240-fmt2 jddosd[3549]: > DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for > protocol/exception DHCPv4:bad-packets has returned to normal. Its > allowed bandwith was exceeded at fpc 1 for 417 times, from 2020-05-04 > 20:47:37 PDT to 2020-05-04 20:47:50 PDT > > I have looked at my config, and I am positively not providing dhcp > service of any kind, have no dhcp relay service on the router > configured, and simply fail to see how or why these messages are being > triggered. I do have some virtual hosts that are acting as dhcp servers > for relayed dhcp traffic, but at the point my router sees this traffic > its only udp port 67 traffic being forwarded to these servers from my > far away dhcp clients. > > I almost want to say that, despite config, the router is in fact > keying into relayed dhcp traffic for some reason. Wondering how I would > go about more properly diagnosing this problem? > > > Thank you. > > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp --- End Message --- ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION on DHCP - and it's not configured?
--- Begin Message --- Hello, 2 possibilities: 1/ Your MX240 loopback filter does not block udp/67 2/ You have DHCP traceoptions configured - it starts jdhcpd process even if there is no other DHCP config: set system processes dhcp-service traceoptions blah-blah Thanks Alex -- Original Message -- From: "Mike" To: juniper-nsp@puck.nether.net Sent: 05/05/2020 19:31:49 Subject: [j-nsp] DDOS_PROTOCOL_VIOLATION on DHCP - and it's not configured? Hello, On my MX240, I occasionally get log messages of this type: May 4 20:47:38 jmx240-fmt2 jddosd[3549]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception DHCPv4:bad-packets exceeded its allowed bandwidth at fpc 1 for 417 times, started at 2020-05-04 20:47:37 PDT May 4 20:52:55 jmx240-fmt2 jddosd[3549]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception DHCPv4:bad-packets has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 417 times, from 2020-05-04 20:47:37 PDT to 2020-05-04 20:47:50 PDT I have looked at my config, and I am positively not providing dhcp service of any kind, have no dhcp relay service on the router configured, and simply fail to see how or why these messages are being triggered. I do have some virtual hosts that are acting as dhcp servers for relayed dhcp traffic, but at the point my router sees this traffic its only udp port 67 traffic being forwarded to these servers from my far away dhcp clients. I almost want to say that, despite config, the router is in fact keying into relayed dhcp traffic for some reason. Wondering how I would go about more properly diagnosing this problem? Thank you. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp --- End Message --- ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION on DHCP - and it's not configured?
Hey Mike, > May 4 20:47:38 jmx240-fmt2 jddosd[3549]: DDOS_PROTOCOL_VIOLATION_SET: > Warning: Host-bound traffic for protocol/exception DHCPv4:bad-packets > exceeded its allowed bandwidth at fpc 1 for 417 times, started at > 2020-05-04 20:47:37 PDT > I almost want to say that, despite config, the router is in fact > keying into relayed dhcp traffic for some reason. Wondering how I would > go about more properly diagnosing this problem? Is it not possible these are DADDR 255.255.255.255, which would be punted and with specific content could hit DHCPv4:bad-packets. You can run 'monitor traffic' on the device to try to catch what is being punted. But you need to figure out which interface in FPC1. -- ++ytti ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] DDOS_PROTOCOL_VIOLATION on DHCP - and it's not configured?
Hello, On my MX240, I occasionally get log messages of this type: May 4 20:47:38 jmx240-fmt2 jddosd[3549]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception DHCPv4:bad-packets exceeded its allowed bandwidth at fpc 1 for 417 times, started at 2020-05-04 20:47:37 PDT May 4 20:52:55 jmx240-fmt2 jddosd[3549]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception DHCPv4:bad-packets has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 417 times, from 2020-05-04 20:47:37 PDT to 2020-05-04 20:47:50 PDT I have looked at my config, and I am positively not providing dhcp service of any kind, have no dhcp relay service on the router configured, and simply fail to see how or why these messages are being triggered. I do have some virtual hosts that are acting as dhcp servers for relayed dhcp traffic, but at the point my router sees this traffic its only udp port 67 traffic being forwarded to these servers from my far away dhcp clients. I almost want to say that, despite config, the router is in fact keying into relayed dhcp traffic for some reason. Wondering how I would go about more properly diagnosing this problem? Thank you. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp