Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Syslog message - DDOS_PROTOCOL_VIOLATION_SET: Host-bound traffic for protocol/exception exceptions:mtu-exceeded

0

0
Article ID: KB35624 KB Last Updated: 31 Mar 2020Version: 1.0 Summary:

This article gives the reason for distributed denial of service (DDoS) violation logs with the message protocol/exception exceptions:mtu-exceeded exceeded its allowed bandwidth, and indicates what must be done to resolve the violation.

 

Symptoms:

The following message logs were reported on a periodic basis for the FPC:

Mar 25 16:18:56  router jddosd[7631]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  
exceptions:mtu-exceeded exceeded its allowed bandwidth at fpc 0 for 6 times, started at 2020-03-25 16:18:56 CST
Mar 25 16:18:58  router jddosd[7631]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception
exceptions:aggregate exceeded its allowed bandwidth at fpc 0 for 4 times, started at 2020-03-25 16:18:57 CST

The following command output indicates any currently violated DDoS protocols:

user@router> show ddos-protection protocols violations
Packet types: 227, Currently violated: 2

Protocol    Packet      Bandwidth  Arrival   Peak      Policer bandwidth
group       type        (pps)      rate(pps) rate(pps) violation detected at
exception   aggregate   250        300       600       2020-03-25 16:18:57 CST
          Detected on: FPC-0
exception   mtu-exceed  250        300       600       2020-03-25 16:18:56 CST
          Detected on: FPC-0

If SCFD (flow detection) has been enabled as described in KB29408 - [MX/T] Configuring ddos-protection flow-detection to log interface and source address information, you can also find the following log:

Mar 25 16:18:57  router jddosd[7631]: DDOS_SCFD_FLOW_FOUND: A new flow of protocol exceptions:mtu-exceeded on pp0.3221225479 with source
 addr 48.0.0.2 is found at 2020-03-25 16:18:55 CST

The following command output checks currently detected DDoS flows:

user@router> show ddos-protection protocols culprit-flows
Currently tracked flows: 1, Total detected flows: 7

Protocol    Packet      Arriving            Source Address
group       type        Interface           MAC or IP
exception   mtu-exceed  pp0.3221225479      48.0.0.2
   sub:0000000000000006 2020-03-25 16:18:55 CST pps:300   pkts:12396

 

Cause:

If the packet size exceeds output interface IP MTU and the DF bit has also been set, the packet will be discarded by default. The ddos-protection bandwidth is 250 pps and if exception mtu-exceed traffic rate exceeds this limit, DDoS violation is triggered.

Note: The ddos-protection protocols exception bandwidth can be modified. To find the default value currently set, use the following command:

user@router> show ddos-protection protocols exceptions mtu-exceeded
Currently tracked flows: 0, Total detected flows: 0
* = User configured value
Protocol Group: exceptions

  Packet type: mtu-exceeded (Packets exceeded MTU)
    Individual policer configuration:
      Bandwidth:        250 pps           <<<<<default value
      Burst:            250 packets
      Priority:         High
<snip>

 

Solution:

To troubleshoot and resolve the issue, perform the following:

  1. Enable flow detection to find the traffic source address.

user@router> show ddos-protection protocols culprit-flows
Currently tracked flows: 1, Total detected flows: 7

Protocol    Packet      Arriving            Source Address
group       type        Interface           MAC or IP
exception   mtu-exceed  pp0.3221225479      48.0.0.2 <<<<this is traffic source address
   sub:0000000000000006 2020-03-25 16:18:55 CST pps:300   pkts:12396

  1. Determine the interface of the source address.

user@router> show route 48.0.0.2

inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

48.0.0.0/24        *[Direct/0] 00:04:52
                    >  via xe-0/3/0.10
  1. After determining the interface information, check whether the peer interface IP MTU is set to a large value.

  2. If it is set to a large or unequal value, it is better to set the same IP MTU on both sides or clear the DF bit.

  1. Use the following example to change the IP MTU after checking the peer device and getting the correct value.

Example to change physical interface MTU:

user@router # set interfaces xe-0/3/0 mtu 1400

Example to change logical interface IP MTU:

user@router # set interfaces xe-0/3/0.10 family inet mtu 1400

  1. If you cannot get the peer device interface value, and the DF bit can be cleared, use the following method to resolve this issue:

user@router # show firewall
family inet {
    filter if-input {
        interface-specific;
        enhanced-mode;
        term 1 {
            then {
                accept;
                dont-fragment clear;     
            }
        }
    }
}
user@router # show interfaces xe-0/3/0.10
vlan-id 10;
family inet {
    filter {
        input if-input;
    }
    address 48.0.0.1/24;
}

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search