[j-nsp] DDOS_PROTOCOL_VIOLATION on DHCP - and it's not configured?

[Alexander Arseniev]

Hello,
2 possibilities:
1/ Your MX240 loopback filter does not block udp/67
2/ You have DHCP traceoptions configured  - it starts jdhcpd process 
even if there is no other DHCP config:

set system processes dhcp-service traceoptions blah-blah

Thanks
Alex

------ Original Message ------
From: "Mike" <mike+lists at yourtownonline.com>
To: juniper-nsp at puck.nether.net
Sent: 05/05/2020 19:31:49
Subject: [j-nsp] DDOS_PROTOCOL_VIOLATION on DHCP - and it's not 
configured?

>Hello,
>
>     On my MX240, I occasionally get log messages of this type:
>
>May  4 20:47:38  jmx240-fmt2 jddosd[3549]: DDOS_PROTOCOL_VIOLATION_SET:
>Warning: Host-bound traffic for protocol/exception  DHCPv4:bad-packets
>exceeded its allowed bandwidth at fpc 1 for 417 times, started at
>2020-05-04 20:47:37 PDT
>May  4 20:52:55  jmx240-fmt2 jddosd[3549]:
>DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for
>protocol/exception DHCPv4:bad-packets has returned to normal. Its
>allowed bandwith was exceeded at fpc 1 for 417 times, from 2020-05-04
>20:47:37 PDT to 2020-05-04 20:47:50 PDT
>
>     I have looked at my config, and I am positively not providing dhcp
>service of any kind, have no dhcp relay service on the router
>configured, and simply fail to see how or why these messages are being
>triggered. I do have some virtual hosts that are acting as dhcp servers
>for relayed dhcp traffic, but at the point my router sees this traffic
>its only udp port 67 traffic being forwarded to these servers from my
>far away dhcp clients.
>
>     I almost want to say that, despite config, the router is in fact
>keying into relayed dhcp traffic for some reason. Wondering how I would
>go about more properly diagnosing this problem?
>
>
>Thank you.
>
>
>
>_______________________________________________
>juniper-nsp mailing list juniper-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/juniper-nsp