Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX/T] Configuring ddos-protection flow-detection to log interface and source address information

1

0
Article ID: KB29408 KB Last Updated: 25 Aug 2020Version: 3.0 Summary:

This article shows how to log source interface and source address (IP or MAC) information when the DDoS (distributed denial of service) protection feature detects a violation on MX Series routers.

This article applies only to the following:

  • MX Series routers with Trinity-based MPCs, which includes the MX80 Series and the MX104, as well as T4000 routers with only FPC5s installed

  • Junos OS release 12.3 and later

 

Symptoms:

The ddos-protection feature detects a violation on an MX Series router, but the interface and IP information is not logged.

ddos-protection, by default, logs information only about the following:

  • Protocol

  • FPC

  • Number of events

  • Date

Example log:

DDOS_PROTOCOL_VIOLATION_SET: Protocol [Protocol]: is violated at fpc [x] for [x] times

 

Cause:

The ddos-protection feature is not configured with flow-detection for logging interface and IP information.

ddos-protection is enabled by default on devices running Junos OS release 11.4 and later.

Flow-detection is disabled by default on devices running Junos OS 12.3 and later.

 

Solution:

Configure the ddos-protection flow-detection feature to log interface and IP information.

If flow-detection is configured to log interface and IP information, the logs will display the following additional information:

  • Source IP or MAC address

  • Physical and logical interface where the violation was found

How to configure the ddos-protection flow-detection feature for logging interface and IP information

The example below configures flow-detection for Internet Control Message Protocol (ICMP).

Note: This configuration applies to all protocols. However, flow-detection must be enabled at the global hierarchy level for the configuration to take effect.

set system ddos-protection global flow-detection
set system ddos-protection global flow-report-rate 100
set system ddos-protection protocols icmp aggregate flow-detection-mode on
set system ddos-protection protocols icmp aggregate flow-level-detection subscriber on >>> (Log information about the source IP or MAC address)
set system ddos-protection protocols icmp aggregate flow-level-detection logical-interface on >>> (Log information about the logical interface where the violation occurred)
set system ddos-protection protocols icmp aggregate flow-level-detection physical-interface on >>> (Log information about the physical interface where the violation occurred)

Result

Show log messages | find DDOS
DDOS_SCFD_FLOW_FOUND: A new flow of protocol ICMP:aggregate on ge-0/3/4.0 with source addr 1.1.1.2 is found at 2014-08-06 14:55:35 CST

 

Modification History:

2020-08-25: Added note in Solution that "flow-detection must be enabled at the global hierarchy level for the configuration to take effect."

 

Related Links

 Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search