[j-nsp] DDOS_PROTOCOL_VIOLATION on DHCP - and it's not configured?

Michael Hare michael.hare at wisc.edu
Wed May 6 09:05:18 EDT 2020


If you are absolutely certain you are not providing DHCP you could always set the punt rate to 1 and disable logging. 

Beware, this can be an awfully sharp sword.  Ask me how I know!

        system {
            ddos-protection {
                protocols {
                    {$protocol} {
                        aggregate {
                            bandwidth 1;
                            burst 1;
                            flow-level-detection {
                                subscriber off;
                                logical-interface off;
                            }
                            no-flow-logging;

-Michael

> -----Original Message-----
> From: juniper-nsp <juniper-nsp-bounces at puck.nether.net> On Behalf Of
> Mike
> Sent: Tuesday, May 5, 2020 1:32 PM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] DDOS_PROTOCOL_VIOLATION on DHCP - and it's not
> configured?
> 
> Hello,
> 
>     On my MX240, I occasionally get log messages of this type:
> 
> May  4 20:47:38  jmx240-fmt2 jddosd[3549]:
> DDOS_PROTOCOL_VIOLATION_SET:
> Warning: Host-bound traffic for protocol/exception  DHCPv4:bad-packets
> exceeded its allowed bandwidth at fpc 1 for 417 times, started at
> 2020-05-04 20:47:37 PDT
> May  4 20:52:55  jmx240-fmt2 jddosd[3549]:
> DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for
> protocol/exception DHCPv4:bad-packets has returned to normal. Its
> allowed bandwith was exceeded at fpc 1 for 417 times, from 2020-05-04
> 20:47:37 PDT to 2020-05-04 20:47:50 PDT
> 
>     I have looked at my config, and I am positively not providing dhcp
> service of any kind, have no dhcp relay service on the router
> configured, and simply fail to see how or why these messages are being
> triggered. I do have some virtual hosts that are acting as dhcp servers
> for relayed dhcp traffic, but at the point my router sees this traffic
> its only udp port 67 traffic being forwarded to these servers from my
> far away dhcp clients.
> 
>     I almost want to say that, despite config, the router is in fact
> keying into relayed dhcp traffic for some reason. Wondering how I would
> go about more properly diagnosing this problem?
> 
> 
> Thank you.
> 
> 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list