Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX/T] Aggressive sampling rate triggers DDoS protection and affects sampled traffic on egress

0

0

Article ID: KB35272 KB Last Updated: 23 Nov 2019Version: 1.0
Summary:

When a router is running jflow version 5 (RE based sampling) and the sampling rate is too aggressive, it may trigger DDoS protection and affect sample traffic on egress.

This article provides two methods to address the issue.

Symptoms:

The following sample configure has jflow version 5, which is the default.

forwarding-options {
    sampling {
        input {
            rate 2000;
        }
        family inet {
            output {
                flow-server 192.168.1.7 {
                    port 50040;
                    source-address 172.16.1.7;
                }
            }
        }
    }

    et-9/1/0 {
          unit 100 {
            family inet {
                sampling {
                    input;
                }
                address 10.0.0.7/30;

If the sample rate is too high, it will trigger DDoS protection with a log output as shown below where the bandwidth is violated:

MX960-RE0 jddosd[4309]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  Sample:host exceeded its allowed bandwidth at fpc 9 for 421 times, started at 2019-10-25 06:39:16 UTC

RE0> show ddos-protection protocols sample

    System-wide information:

      Aggregate bandwidth is being violated!

        No. of FPCs currently receiving excess traffic: 3

        No. of FPCs that have received excess traffic:  3

        Violation first detected at: 2017-07-14 01:28:52 UTC

        Violation last seen at:      2019-10-31 10:52:21 UTC

        Duration of violation: 119w6d 09:23 Number of violations: 408

      Received:  256998378090818     Arrival rate:     4211235 pps 

      Dropped:   256781115779241     Max arrival rate: 4200419728 pps

FPC slot 9 information:

      Bandwidth: 100% (1000 pps), Burst: 100% (1000 packets), enabled

      Aggregate policer is currently being violated! 

        Violation first detected at: 2019-10-26 03:19:43 UTC

        Violation last seen at:      2019-10-31 10:52:21 UTC

        Duration of violation: 5d 07:32 Number of violations: 148

      Received:  76256068200877      Arrival rate:     1094818 pps 

      Dropped:   76183582400365      Max arrival rate: 1353502433 pps

        Dropped by individual policers: 76121604713601

        Dropped by aggregate policer:   61977686764

        Dropped by flow suppression:    0

      Flow counts:

        Aggregation level     Current       Total detected   State

        Subscriber            0             0                Active

Solution:

Two ways to address this issue:

  1. Increase the sampling rate by referring to the technical documentation on rate (Forwarding Options)

  2. Change jflow version by referring to KB27279 - Configuring sampling instance with IPv4 and IPv6 interfaces
    MX routers can support inline sampling that use MPC hardware resource, not the RE software sampling.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search