Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX/T] Configuring ddos-protection flow-detection to log interface and source address information

0

0

Article ID: KB29408 KB Last Updated: 28 Aug 2014Version: 2.0
Summary:

This article shows how to log source interface and source address (IP or MAC) information when the DDoS (distributed denial of service) protection feature detects a violation on MX series routers.

This article applies only to the following:

  • MX series Routers with Trinity-based MPCs, which includes the MX80 series and the MX104, as well as T4000 routers with only FPC5s installed.
  • Junos OS 12.3 and above.
Symptoms:

The ddos-protection feature detects a violation on an MX series router, but interface and IP information is not logged.

ddos-protection, by default, logs information only about the following:

  • Protocol
  • FPC
  • Number of events
  • Date

Example log:

DDOS_PROTOCOL_VIOLATION_SET: Protocol [Protocol]: is violated at fpc [x] for [x] times
Cause:

The ddos-protection feature is not configured with flow-detection for logging interface and IP information.

ddos-protection is enabled by default. It is available on Junos OS 11.4 and above.

Flow-detection is disabled by default. It is available on Junos OS 12.3 and above.

Solution:

Configure the ddos-protection flow-detection feature to log interface and IP information.

If flow-detection is configured to log interface and IP information, the  logs will display the following additional information:

  • Source IP or MAC address.

  • Physical and logical interface where the violation was found.


How to configure the ddos-protection flow-detection feature for logging interface and IP information

The example below configures flow-detection for ICMP.

Note: This configuration applies to all protocols.

set system ddos-protection global flow-detection
set system ddos-protection global flow-report-rate 100
set system ddos-protection protocols icmp aggregate flow-detection-mode on
set system ddos-protection protocols icmp aggregate flow-level-detection subscriber on -> (Log information about source IP or MAC address)
set system ddos-protection protocols icmp aggregate flow-level-detection logical-interface on -> (Log information about logical interface where violation occured)
set system ddos-protection protocols icmp aggregate flow-level-detection physical-interface on -> (Log information about physical interface where violation occured)

Result:

Show log messages | find DDOS
DDOS_SCFD_FLOW_FOUND: A new flow of protocol ICMP:aggregate on ge-0/3/4.0 with source addr 1.1.1.2 is found at 2014-08-06 14:55:35 CST

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search