Re: [j-nsp] Syslog getting spammed by DDOS_PROTOCOL_VIOLATION_SET
Sorry, I meant the opposite (i.e. the defaults are too high). One that is specially high is the IGMP at 20k. Multicast loops on large layer-2 fabrics (IXPs) will bring down first-gen Trios very easily (can't say the same for the newer ones up to Eagle). On Tue, Nov 21, 2017 at 10:19 AM, Saku Yttiwrote: > On 21 November 2017 at 14:12, Luis Balbinot wrote: > >> The DDoS protection factory defaults are very low in some cases. The >> Juniper MX Series book has a nice chapter on that. > > Do you have an example? Most of them are like 20kpps, which ismore > than you need to congest the built-in NPU=>PFE_CPU policer. I.e. they > are massively too large out-of-the-box. > > I doubt anyone has configured them to sensible values, as it would be > hundreds of lines of ddos-protection config, as you cannot set default > values which apply to all of them and then more-specific ones to the > ones you care. Correct configuration needs to manually configure each > and every one, those which you don't need, as low as you want, like > 10pps. > > > -- > ++ytti ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Syslog getting spammed by DDOS_PROTOCOL_VIOLATION_SET
On 21 November 2017 at 14:12, Luis Balbinotwrote: > The DDoS protection factory defaults are very low in some cases. The > Juniper MX Series book has a nice chapter on that. Do you have an example? Most of them are like 20kpps, which ismore than you need to congest the built-in NPU=>PFE_CPU policer. I.e. they are massively too large out-of-the-box. I doubt anyone has configured them to sensible values, as it would be hundreds of lines of ddos-protection config, as you cannot set default values which apply to all of them and then more-specific ones to the ones you care. Correct configuration needs to manually configure each and every one, those which you don't need, as low as you want, like 10pps. -- ++ytti ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Syslog getting spammed by DDOS_PROTOCOL_VIOLATION_SET
Most likely spoofed traffic or you don't have full tables or a default route. A /18 will pull a lot of unwanted traffic. The DDoS protection factory defaults are very low in some cases. The Juniper MX Series book has a nice chapter on that. On Tue, 21 Nov 2017 at 09:02 Karl Gerhardwrote: > Hello > > our syslog is getting spammed with the following messages: > jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_SET: Protocol > resolve:ucast-v4 is violated at fpc 11 for 1389 times > jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol > resolve:ucast-v4 has returned to normal. Violated at fpc 11 for 1389 times > > What is puzzling is that there is barely any traffic going through that > machine (like 5 MBit/s). It seems like those messages are being triggered > by random noise from the internet just by announcing a single /18. > > Is that normal? Is there a way to gracefully handle those messages (i.e. > save them into another file) without losing important information? > > Regards > Karl > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Syslog getting spammed by DDOS_PROTOCOL_VIOLATION_SET
Hi Karl, DDOS subsystem applies only to the traffic destined to the host (router itself) and not transit traffic. When you announce that /18 have you got all destinations of that /18 reachable by the router? Have you got default route ? The graceful way to handle those messages is to figure out what causing them i presume. I'd start figuring out what's going on from answering above questions and looking at below outputs: show ddos-protection protocols resolve statistics brief show ddos-protection protocols violations I'm sure if you google this topic you may find a lot of information as well On 21-Nov-17 12:01, Karl Gerhard wrote: Hello our syslog is getting spammed with the following messages: jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_SET: Protocol resolve:ucast-v4 is violated at fpc 11 for 1389 times jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol resolve:ucast-v4 has returned to normal. Violated at fpc 11 for 1389 times What is puzzling is that there is barely any traffic going through that machine (like 5 MBit/s). It seems like those messages are being triggered by random noise from the internet just by announcing a single /18. Is that normal? Is there a way to gracefully handle those messages (i.e. save them into another file) without losing important information? Regards Karl ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Syslog getting spammed by DDOS_PROTOCOL_VIOLATION_SET
Hey Karl, Do you have large connected subnet, largely empty? I believe 'resolve' is packet needing ARP resolution. I.e. you got packet to subnet address 192.0.2.42, but it did not have MAC address, so it could not be forwarded, but had to be punted to software for ARP resolution. Because it involves software it is ratelimited. Be glad it exists, for longest time resolve packets hit the DDoS policer of their protocol so if someone was hitting 192.0.2.42 with BGP packets, it hit your BGP policer, and would bring your core iBGP down, and there was nothing you could do to protect from it (resolve is not subject to lo0, for obvious reasons). 4Mbps was all it took. On 21 November 2017 at 13:01, Karl Gerhardwrote: > Hello > > our syslog is getting spammed with the following messages: > jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_SET: Protocol > resolve:ucast-v4 is violated at fpc 11 for 1389 times > jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol > resolve:ucast-v4 has returned to normal. Violated at fpc 11 for 1389 times > > What is puzzling is that there is barely any traffic going through that > machine (like 5 MBit/s). It seems like those messages are being triggered by > random noise from the internet just by announcing a single /18. > > Is that normal? Is there a way to gracefully handle those messages (i.e. save > them into another file) without losing important information? > > Regards > Karl > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp -- ++ytti ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Syslog getting spammed by DDOS_PROTOCOL_VIOLATION_SET
Hello our syslog is getting spammed with the following messages: jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_SET: Protocol resolve:ucast-v4 is violated at fpc 11 for 1389 times jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol resolve:ucast-v4 has returned to normal. Violated at fpc 11 for 1389 times What is puzzling is that there is barely any traffic going through that machine (like 5 MBit/s). It seems like those messages are being triggered by random noise from the internet just by announcing a single /18. Is that normal? Is there a way to gracefully handle those messages (i.e. save them into another file) without losing important information? Regards Karl ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp