This article shows how to log source interface and source address (IP or MAC) information when the DDoS (distributed denial of service) protection feature detects a violation on MX Series routers.
This article applies only to the following:
-
MX Series routers with Trinity-based MPCs, which includes the MX80 Series and the MX104, as well as T4000 routers with only FPC5s installed
-
Junos OS release 12.3 and later
The ddos-protection feature detects a violation on an MX Series router, but the interface and IP information is not logged.
ddos-protection, by default, logs information only about the following:
-
Protocol
-
FPC
-
Number of events
-
Date
Example log:
DDOS_PROTOCOL_VIOLATION_SET: Protocol [Protocol]: is violated at fpc [x] for [x] times
The ddos-protection feature is not configured with flow-detection for logging interface and IP information.
ddos-protection is enabled by default on devices running Junos OS release 11.4 and later.
Flow-detection is disabled by default on devices running Junos OS 12.3 and later.
Configure the ddos-protection flow-detection feature to log interface and IP information.
If flow-detection is configured to log interface and IP information, the logs will display the following additional information:
How to configure the ddos-protection flow-detection feature for logging interface and IP information
The example below configures flow-detection for Internet Control Message Protocol (ICMP).
Note: This configuration applies to all protocols. However, flow-detection must be enabled at the global hierarchy level for the configuration to take effect.
set system ddos-protection global flow-detection
set system ddos-protection global flow-report-rate 100
set system ddos-protection protocols icmp aggregate flow-detection-mode on
set system ddos-protection protocols icmp aggregate flow-level-detection subscriber on >>> (Log information about the source IP or MAC address)
set system ddos-protection protocols icmp aggregate flow-level-detection logical-interface on >>> (Log information about the logical interface where the violation occurred)
set system ddos-protection protocols icmp aggregate flow-level-detection physical-interface on >>> (Log information about the physical interface where the violation occurred)
Result
Show log messages | find DDOS
DDOS_SCFD_FLOW_FOUND: A new flow of protocol ICMP:aggregate on ge-0/3/4.0 with source addr 1.1.1.2 is found at 2014-08-06 14:55:35 CST
2020-08-25: Added note in Solution that "flow-detection must be enabled at the global hierarchy level for the configuration to take effect."