[j-nsp] Syslog getting spammed by DDOS_PROTOCOL_VIOLATION_SET

Saku Ytti saku at ytti.fi
Tue Nov 21 07:07:45 EST 2017


Hey Karl,

Do you have large connected subnet, largely empty?

I believe 'resolve' is packet needing ARP resolution. I.e. you got
packet to subnet address 192.0.2.42, but it did not have MAC address,
so it could not be forwarded, but had to be punted to software for ARP
resolution. Because it involves software it is ratelimited.

Be glad it exists, for longest time resolve packets hit the DDoS
policer of their protocol so if someone was hitting 192.0.2.42 with
BGP packets, it hit your BGP policer, and would bring your core iBGP
down, and there was nothing you could do to protect from it (resolve
is not subject to lo0, for obvious reasons). 4Mbps was all it took.

On 21 November 2017 at 13:01, Karl Gerhard <karl_gerh at gmx.at> wrote:
> Hello
>
> our syslog is getting spammed with the following messages:
> jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_SET: Protocol resolve:ucast-v4 is violated at fpc 11 for 1389 times
> jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol resolve:ucast-v4 has returned to normal. Violated at fpc 11 for 1389 times
>
> What is puzzling is that there is barely any traffic going through that machine (like 5 MBit/s). It seems like those messages are being triggered by random noise from the internet just by announcing a single /18.
>
> Is that normal? Is there a way to gracefully handle those messages (i.e. save them into another file) without losing important information?
>
> Regards
> Karl
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



-- 
  ++ytti


More information about the juniper-nsp mailing list