Mailing List Archive

DDOS_PROTOCOL_VIOLATION on DHCP - and it's not configured?
Hello,

    On my MX240, I occasionally get log messages of this type:

May  4 20:47:38  jmx240-fmt2 jddosd[3549]: DDOS_PROTOCOL_VIOLATION_SET:
Warning: Host-bound traffic for protocol/exception  DHCPv4:bad-packets
exceeded its allowed bandwidth at fpc 1 for 417 times, started at
2020-05-04 20:47:37 PDT
May  4 20:52:55  jmx240-fmt2 jddosd[3549]:
DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for
protocol/exception DHCPv4:bad-packets has returned to normal. Its
allowed bandwith was exceeded at fpc 1 for 417 times, from 2020-05-04
20:47:37 PDT to 2020-05-04 20:47:50 PDT

    I have looked at my config, and I am positively not providing dhcp
service of any kind, have no dhcp relay service on the router
configured, and simply fail to see how or why these messages are being
triggered. I do have some virtual hosts that are acting as dhcp servers
for relayed dhcp traffic, but at the point my router sees this traffic
its only udp port 67 traffic being forwarded to these servers from my
far away dhcp clients.

    I almost want to say that, despite config, the router is in fact
keying into relayed dhcp traffic for some reason. Wondering how I would
go about more properly diagnosing this problem?


Thank you.



_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: DDOS_PROTOCOL_VIOLATION on DHCP - and it's not configured? [ In reply to ]
Hey Mike,


> May 4 20:47:38 jmx240-fmt2 jddosd[3549]: DDOS_PROTOCOL_VIOLATION_SET:
> Warning: Host-bound traffic for protocol/exception DHCPv4:bad-packets
> exceeded its allowed bandwidth at fpc 1 for 417 times, started at
> 2020-05-04 20:47:37 PDT

> I almost want to say that, despite config, the router is in fact
> keying into relayed dhcp traffic for some reason. Wondering how I would
> go about more properly diagnosing this problem?

Is it not possible these are DADDR 255.255.255.255, which would be
punted and with specific content could hit DHCPv4:bad-packets. You can
run 'monitor traffic' on the device to try to catch what is being
punted. But you need to figure out which interface in FPC1.

--
++ytti
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: DDOS_PROTOCOL_VIOLATION on DHCP - and it's not configured? [ In reply to ]
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: DDOS_PROTOCOL_VIOLATION on DHCP - and it's not configured? [ In reply to ]
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp