Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
* Brendan Mannella bmanne...@teraswitch.com [2014-12-10 23:18]: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST If you have firewall filters, try to change reject actions to discard. The router is flooded with packets for which he is configured to send a TCP Reset or ICMP error message back. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
On (2014-12-10 22:20 -0500), Chris Morrow wrote: Hey, ick, that ddos protection stuff in JunOS is broken...you should just disable it: Perhaps, but it's the only way to protect the control-plane from many attack vectors. -- ++ytti ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
On Wed, Dec 10, 2014 at 05:16:25PM -0500, Brendan Mannella wrote: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST What version of Junos? I notice a lot fewer of these on 13.3 than I did on 11.4. In my case, I believe most of them were caused by unknown DHCP packet types. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
You can find more information running show ddos-protection protocols violations. 2014-12-10 20:16 GMT-02:00 Brendan Mannella bmanne...@teraswitch.com: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Eduardo Schoedler ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
Hi, Make sure that you have a discard next-hop instead of default reject in your aggregate routes. That should help. Regards, Wojciech 2014-12-10 23:16 GMT+01:00 Brendan Mannella bmanne...@teraswitch.com: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
Can you put an exame of this configuration Janiszewski?! Enviado via iPhone Grupo Connectoway Em 10/12/2014, às 23:54, Wojciech Janiszewski wojciech.janiszew...@gmail.com escreveu: Hi, Make sure that you have a discard next-hop instead of default reject in your aggregate routes. That should help. Regards, Wojciech 2014-12-10 23:16 GMT+01:00 Brendan Mannella bmanne...@teraswitch.com: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
Hi Rodrigo, It is as simple as set routing-options aggregate route destination discard Regards, Wojciech 2014-12-11 4:22 GMT+01:00 Rodrigo 1telecom rodr...@1telecom.com.br: Can you put an exame of this configuration Janiszewski?! Enviado via iPhone Grupo Connectoway Em 10/12/2014, às 23:54, Wojciech Janiszewski wojciech.janiszew...@gmail.com escreveu: Hi, Make sure that you have a discard next-hop instead of default reject in your aggregate routes. That should help. Regards, Wojciech 2014-12-10 23:16 GMT+01:00 Brendan Mannella bmanne...@teraswitch.com: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
On 12/10/2014 09:54 PM, Wojciech Janiszewski wrote: Hi, Make sure that you have a discard next-hop instead of default reject in your aggregate routes. That should help. ick, that ddos protection stuff in JunOS is broken...you should just disable it: system { ddos-protection { global { disable-routing-engine; disable-fpc; disable-logging; } } } 2014-12-10 23:16 GMT+01:00 Brendan Mannella bmanne...@teraswitch.com: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
Chris The best option is to disable the feature ? And about to configure it ? If you have a protect-re firewall filter applied in loopback ... Can this be done ? Is it safe ? Some documents from juniper showing the best way ? And about to disable the process ? Thanks a lot Sent from my iPhone On Dec 11, 2014, at 01:20, Chris Morrow morr...@ops-netman.net wrote: On 12/10/2014 09:54 PM, Wojciech Janiszewski wrote: Hi, Make sure that you have a discard next-hop instead of default reject in your aggregate routes. That should help. ick, that ddos protection stuff in JunOS is broken...you should just disable it: system { ddos-protection { global { disable-routing-engine; disable-fpc; disable-logging; } } } 2014-12-10 23:16 GMT+01:00 Brendan Mannella bmanne...@teraswitch.com: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate
On 12/10/2014 11:21 PM, Giuliano (WZTECH) wrote: Chris The best option is to disable the feature ? I think it's the best option.. juniper tried to do something 'nice' for you by setting some low (I think) limits on things you might actually care to see and deal with elsewhere... And about to configure it ? If you have a protect-re firewall filter applied in loopback ... Can this be done ? all devices on the public network should have clear policies in place to protect themselves from the rest of the world. Your juniper loopback filter should permit the routing protocols you care about and your management access... and everything else should be discarded. Cymru's templates are decent for this actually. -chris Is it safe ? Some documents from juniper showing the best way ? And about to disable the process ? Thanks a lot Sent from my iPhone On Dec 11, 2014, at 01:20, Chris Morrow morr...@ops-netman.net wrote: On 12/10/2014 09:54 PM, Wojciech Janiszewski wrote: Hi, Make sure that you have a discard next-hop instead of default reject in your aggregate routes. That should help. ick, that ddos protection stuff in JunOS is broken...you should just disable it: system { ddos-protection { global { disable-routing-engine; disable-fpc; disable-logging; } } } 2014-12-10 23:16 GMT+01:00 Brendan Mannella bmanne...@teraswitch.com: Just wondering if anyone has ever seen these DDOS messages before and what i should be looking at to resolve. Dec 10 11:10:24 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 931 times, from 2014-12-10 11:05:23 EST to 2014-12-10 11:05:23 EST Dec 10 11:23:44 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 932 times, started at 2014-12-10 11:23:43 EST Dec 10 11:28:49 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 932 times, from 2014-12-10 11:23:43 EST to 2014-12-10 11:23:43 EST Dec 10 12:50:55 re0.edge2 xntpd[2681]: kernel time sync enabled 6001 Dec 10 13:08:00 re0.edge2 xntpd[2681]: kernel time sync enabled 2001 Dec 10 15:01:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_SET: Protocol Reject:aggregate is violated at fpc 1 for 933 times, started at 2014-12-10 15:01:33 EST Dec 10 15:06:34 re0.edge2 jddosd[2710]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol Reject:aggregate has returned to normal. Violated at fpc 1 for 933 times, from 2014-12-10 15:01:33 EST to 2014-12-10 15:01:33 EST ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp