Re: [j-nsp] Syslog getting spammed by DDOS_PROTOCOL_VIOLATION_SET

2017-11-21 Thread Luis Balbinot 
Sorry, I meant the opposite (i.e. the defaults are too high).

One that is specially high is the IGMP at 20k. Multicast loops on
large layer-2 fabrics (IXPs) will bring down first-gen Trios very
easily (can't say the same for the newer ones up to Eagle).

On Tue, Nov 21, 2017 at 10:19 AM, Saku Ytti  wrote:
> On 21 November 2017 at 14:12, Luis Balbinot  wrote:
>
>> The DDoS protection factory defaults are very low in some cases. The
>> Juniper MX Series book has a nice chapter on that.
>
> Do you have an example? Most of them are like 20kpps, which ismore
> than you need to congest the built-in NPU=>PFE_CPU policer. I.e. they
> are massively too large out-of-the-box.
>
> I doubt anyone has configured them to sensible values, as it would be
> hundreds of lines of ddos-protection config, as you cannot set default
> values which apply to all of them and then more-specific ones to the
> ones you care. Correct configuration needs to manually configure each
> and every one, those which you don't need, as low as you want, like
> 10pps.
>
>
> --
>   ++ytti
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Syslog getting spammed by DDOS_PROTOCOL_VIOLATION_SET

2017-11-21 Thread Saku Ytti 
On 21 November 2017 at 14:12, Luis Balbinot  wrote:

> The DDoS protection factory defaults are very low in some cases. The
> Juniper MX Series book has a nice chapter on that.

Do you have an example? Most of them are like 20kpps, which ismore
than you need to congest the built-in NPU=>PFE_CPU policer. I.e. they
are massively too large out-of-the-box.

I doubt anyone has configured them to sensible values, as it would be
hundreds of lines of ddos-protection config, as you cannot set default
values which apply to all of them and then more-specific ones to the
ones you care. Correct configuration needs to manually configure each
and every one, those which you don't need, as low as you want, like
10pps.


-- 
  ++ytti
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Syslog getting spammed by DDOS_PROTOCOL_VIOLATION_SET

2017-11-21 Thread Luis Balbinot 
Most likely spoofed traffic or you don't have full tables or a default
route. A /18 will pull a lot of unwanted traffic.

The DDoS protection factory defaults are very low in some cases. The
Juniper MX Series book has a nice chapter on that.

On Tue, 21 Nov 2017 at 09:02 Karl Gerhard  wrote:

> Hello
>
> our syslog is getting spammed with the following messages:
> jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_SET: Protocol
> resolve:ucast-v4 is violated at fpc 11 for 1389 times
> jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol
> resolve:ucast-v4 has returned to normal. Violated at fpc 11 for 1389 times
>
> What is puzzling is that there is barely any traffic going through that
> machine (like 5 MBit/s). It seems like those messages are being triggered
> by random noise from the internet just by announcing a single /18.
>
> Is that normal? Is there a way to gracefully handle those messages (i.e.
> save them into another file) without losing important information?
>
> Regards
> Karl
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Syslog getting spammed by DDOS_PROTOCOL_VIOLATION_SET

2017-11-21 Thread Timur Maryin via juniper-nsp 

Hi Karl,

DDOS subsystem applies only to the traffic destined to the host (router 
itself) and not transit traffic.


When you announce that /18 have you got all destinations of that /18 
reachable by the router? Have you got default route ?



The graceful way to handle those messages is to figure out what causing 
them i presume.


I'd start figuring out what's going on from answering above questions 
and looking at below outputs:


 show ddos-protection protocols resolve statistics brief
 show ddos-protection protocols violations


I'm sure if you google this topic you may find a lot of information as well



On 21-Nov-17 12:01, Karl Gerhard wrote:

Hello

our syslog is getting spammed with the following messages:
jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_SET: Protocol resolve:ucast-v4 
is violated at fpc 11 for 1389 times
jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol 
resolve:ucast-v4 has returned to normal. Violated at fpc 11 for 1389 times

What is puzzling is that there is barely any traffic going through that machine 
(like 5 MBit/s). It seems like those messages are being triggered by random 
noise from the internet just by announcing a single /18.

Is that normal? Is there a way to gracefully handle those messages (i.e. save 
them into another file) without losing important information?

Regards
Karl

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Syslog getting spammed by DDOS_PROTOCOL_VIOLATION_SET

2017-11-21 Thread Saku Ytti 
Hey Karl,

Do you have large connected subnet, largely empty?

I believe 'resolve' is packet needing ARP resolution. I.e. you got
packet to subnet address 192.0.2.42, but it did not have MAC address,
so it could not be forwarded, but had to be punted to software for ARP
resolution. Because it involves software it is ratelimited.

Be glad it exists, for longest time resolve packets hit the DDoS
policer of their protocol so if someone was hitting 192.0.2.42 with
BGP packets, it hit your BGP policer, and would bring your core iBGP
down, and there was nothing you could do to protect from it (resolve
is not subject to lo0, for obvious reasons). 4Mbps was all it took.

On 21 November 2017 at 13:01, Karl Gerhard  wrote:
> Hello
>
> our syslog is getting spammed with the following messages:
> jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_SET: Protocol 
> resolve:ucast-v4 is violated at fpc 11 for 1389 times
> jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol 
> resolve:ucast-v4 has returned to normal. Violated at fpc 11 for 1389 times
>
> What is puzzling is that there is barely any traffic going through that 
> machine (like 5 MBit/s). It seems like those messages are being triggered by 
> random noise from the internet just by announcing a single /18.
>
> Is that normal? Is there a way to gracefully handle those messages (i.e. save 
> them into another file) without losing important information?
>
> Regards
> Karl
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



-- 
  ++ytti
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Syslog getting spammed by DDOS_PROTOCOL_VIOLATION_SET

2017-11-21 Thread Karl Gerhard 
Hello

our syslog is getting spammed with the following messages:
jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_SET: Protocol resolve:ucast-v4 
is violated at fpc 11 for 1389 times
jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol 
resolve:ucast-v4 has returned to normal. Violated at fpc 11 for 1389 times

What is puzzling is that there is barely any traffic going through that machine 
(like 5 MBit/s). It seems like those messages are being triggered by random 
noise from the internet just by announcing a single /18.

Is that normal? Is there a way to gracefully handle those messages (i.e. save 
them into another file) without losing important information?

Regards
Karl
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp