Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
* Brendan Mannella bmanne...@teraswitch.com [2014-12-10 23:18]: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST If you have firewall filters, try to change reject actions to discard. The router is flooded with packets for which he is configured to send a TCP Reset or ICMP error message back. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
On (2014-12-10 22:20 -0500), Chris Morrow wrote: Hey, ick, that ddos protection stuff in JunOS is broken...you should just disable it: Perhaps, but it's the only way to protect the control-plane from many attack vectors. -- ++ytti ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
On Wed, Dec 10, 2014 at 05:16:25PM -0500, Brendan Mannella wrote: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST What version of Junos? I notice a lot fewer of these on 13.3 than I did on 11.4. In my case, I believe most of them were caused by unknown DHCP packet types. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
You can find more information running show ddos-protection protocols violations. 2014-12-10 20:16 GMT-02:00 Brendan Mannella bmanne...@teraswitch.com: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Eduardo Schoedler ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
Hi, Make sure that you have a discard next-hop instead of default reject in your aggregate routes. That should help. Regards, Wojciech 2014-12-10 23:16 GMT+01:00 Brendan Mannella bmanne...@teraswitch.com: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
Can you put an exame of this configuration Janiszewski?! Enviado via iPhone Grupo Connectoway Em 10/12/2014, às 23:54, Wojciech Janiszewski wojciech.janiszew...@gmail.com escreveu: Hi, Make sure that you have a discard next-hop instead of default reject in your aggregate routes. That should help. Regards, Wojciech 2014-12-10 23:16 GMT+01:00 Brendan Mannella bmanne...@teraswitch.com: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
Hi Rodrigo, It is as simple as set routing-options aggregate route destination discard Regards, Wojciech 2014-12-11 4:22 GMT+01:00 Rodrigo 1telecom rodr...@1telecom.com.br: Can you put an exame of this configuration Janiszewski?! Enviado via iPhone Grupo Connectoway Em 10/12/2014, às 23:54, Wojciech Janiszewski wojciech.janiszew...@gmail.com escreveu: Hi, Make sure that you have a discard next-hop instead of default reject in your aggregate routes. That should help. Regards, Wojciech 2014-12-10 23:16 GMT+01:00 Brendan Mannella bmanne...@teraswitch.com: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
On 12/10/2014 09:54 PM, Wojciech Janiszewski wrote:
Hi,
Make sure that you have a discard next-hop instead of default reject in
your aggregate routes.
That should help.
ick, that ddos protection stuff in JunOS is broken...you should just
disable it:
system {
ddos-protection {
global {
disable-routing-engine;
disable-fpc;
disable-logging;
}
}
}
2014-12-10 23:16 GMT+01:00 Brendan Mannella bmanne...@teraswitch.com:
Just wondering if anyone has ever seen these DDOS messages before and
what i should be looking at to resolve.
Dec 10 11:10:24 re0.edge2 jddosd[2710]:
DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned
to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23
EST to 2014-12-10 11:05:23 EST
Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET:
Protocol Reject:aggregate is violated at fpc 1 for 932 times, started
at 2014-12-10 11:23:43 EST
Dec 10 11:28:49 re0.edge2 jddosd[2710]:
DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned
to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43
EST to 2014-12-10 11:23:43 EST
Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001
Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001
Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET:
Protocol Reject:aggregate is violated at fpc 1 for 933 times, started
at 2014-12-10 15:01:33 EST
Dec 10 15:06:34 re0.edge2 jddosd[2710]:
DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned
to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33
EST to 2014-12-10 15:01:33 EST
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
Chris
The best option is to disable the feature ?
And about to configure it ?
If you have a protect-re firewall filter applied in loopback ... Can this be
done ?
Is it safe ?
Some documents from juniper showing the best way ?
And about to disable the process ?
Thanks a lot
Sent from my iPhone
On Dec 11, 2014, at 01:20, Chris Morrow morr...@ops-netman.net wrote:
On 12/10/2014 09:54 PM, Wojciech Janiszewski wrote:
Hi,
Make sure that you have a discard next-hop instead of default reject in
your aggregate routes.
That should help.
ick, that ddos protection stuff in JunOS is broken...you should just
disable it:
system {
ddos-protection {
global {
disable-routing-engine;
disable-fpc;
disable-logging;
}
}
}
2014-12-10 23:16 GMT+01:00 Brendan Mannella bmanne...@teraswitch.com:
Just wondering if anyone has ever seen these DDOS messages before and
what i should be looking at to resolve.
Dec 10 11:10:24 re0.edge2 jddosd[2710]:
DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned
to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23
EST to 2014-12-10 11:05:23 EST
Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET:
Protocol Reject:aggregate is violated at fpc 1 for 932 times, started
at 2014-12-10 11:23:43 EST
Dec 10 11:28:49 re0.edge2 jddosd[2710]:
DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned
to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43
EST to 2014-12-10 11:23:43 EST
Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001
Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001
Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET:
Protocol Reject:aggregate is violated at fpc 1 for 933 times, started
at 2014-12-10 15:01:33 EST
Dec 10 15:06:34 re0.edge2 jddosd[2710]:
DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned
to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33
EST to 2014-12-10 15:01:33 EST
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
On 12/10/2014 11:21 PM, Giuliano (WZTECH) wrote:
Chris
The best option is to disable the feature ?
I think it's the best option.. juniper tried to do something 'nice' for
you by setting some low (I think) limits on things you might actually
care to see and deal with elsewhere...
And about to configure it ?
If you have a protect-re firewall filter applied in loopback ... Can this be
done ?
all devices on the public network should have clear policies in place to
protect themselves from the rest of the world. Your juniper loopback
filter should permit the routing protocols you care about and your
management access... and everything else should be discarded. Cymru's
templates are decent for this actually.
-chris
Is it safe ?
Some documents from juniper showing the best way ?
And about to disable the process ?
Thanks a lot
Sent from my iPhone
On Dec 11, 2014, at 01:20, Chris Morrow morr...@ops-netman.net wrote:
On 12/10/2014 09:54 PM, Wojciech Janiszewski wrote:
Hi,
Make sure that you have a discard next-hop instead of default reject in
your aggregate routes.
That should help.
ick, that ddos protection stuff in JunOS is broken...you should just
disable it:
system {
ddos-protection {
global {
disable-routing-engine;
disable-fpc;
disable-logging;
}
}
}
2014-12-10 23:16 GMT+01:00 Brendan Mannella bmanne...@teraswitch.com:
Just wondering if anyone has ever seen these DDOS messages before and
what i should be looking at to resolve.
Dec 10 11:10:24 re0.edge2 jddosd[2710]:
DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned
to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23
EST to 2014-12-10 11:05:23 EST
Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET:
Protocol Reject:aggregate is violated at fpc 1 for 932 times, started
at 2014-12-10 11:23:43 EST
Dec 10 11:28:49 re0.edge2 jddosd[2710]:
DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned
to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43
EST to 2014-12-10 11:23:43 EST
Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001
Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001
Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET:
Protocol Reject:aggregate is violated at fpc 1 for 933 times, started
at 2014-12-10 15:01:33 EST
Dec 10 15:06:34 re0.edge2 jddosd[2710]:
DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned
to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33
EST to 2014-12-10 15:01:33 EST
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
