This article gives the reason for distributed denial of service (DDoS) violation logs with the message protocol/exception exceptions:mtu-exceeded exceeded its allowed bandwidth
, and indicates what must be done to resolve the violation.
The following message logs were reported on a periodic basis for the FPC:
Mar 25 16:18:56 router jddosd[7631]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception
exceptions:mtu-exceeded exceeded its allowed bandwidth at fpc 0 for 6 times, started at 2020-03-25 16:18:56 CST
Mar 25 16:18:58 router jddosd[7631]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception
exceptions:aggregate exceeded its allowed bandwidth at fpc 0 for 4 times, started at 2020-03-25 16:18:57 CST
The following command output indicates any currently violated DDoS protocols:
user@router> show ddos-protection protocols violations
Packet types: 227, Currently violated: 2
Protocol Packet Bandwidth Arrival Peak Policer bandwidth
group type (pps) rate(pps) rate(pps) violation detected at
exception aggregate 250 300 600 2020-03-25 16:18:57 CST
Detected on: FPC-0
exception mtu-exceed 250 300 600 2020-03-25 16:18:56 CST
Detected on: FPC-0
If SCFD (flow detection) has been enabled as described in KB29408 - [MX/T] Configuring ddos-protection flow-detection to log interface and source address information, you can also find the following log:
Mar 25 16:18:57 router jddosd[7631]: DDOS_SCFD_FLOW_FOUND: A new flow of protocol exceptions:mtu-exceeded on pp0.3221225479 with source
addr 48.0.0.2 is found at 2020-03-25 16:18:55 CST
The following command output checks currently detected DDoS flows:
user@router> show ddos-protection protocols culprit-flows
Currently tracked flows: 1, Total detected flows: 7
Protocol Packet Arriving Source Address
group type Interface MAC or IP
exception mtu-exceed pp0.3221225479 48.0.0.2
sub:0000000000000006 2020-03-25 16:18:55 CST pps:300 pkts:12396
If the packet size exceeds output interface IP MTU and the DF bit has also been set, the packet will be discarded by default. The ddos-protection bandwidth is 250 pps and if exception mtu-exceed
traffic rate exceeds this limit, DDoS violation is triggered.
Note: The ddos-protection protocols exception bandwidth can be modified. To find the default value currently set, use the following command:
user@router> show ddos-protection protocols exceptions mtu-exceeded
Currently tracked flows: 0, Total detected flows: 0
* = User configured value
Protocol Group: exceptions
Packet type: mtu-exceeded (Packets exceeded MTU)
Individual policer configuration:
Bandwidth: 250 pps <<<<<default value
Burst: 250 packets
Priority: High
<snip>
To troubleshoot and resolve the issue, perform the following:
-
Enable flow detection to find the traffic source address.
user@router> show ddos-protection protocols culprit-flows
Currently tracked flows: 1, Total detected flows: 7
Protocol Packet Arriving Source Address
group type Interface MAC or IP
exception mtu-exceed pp0.3221225479 48.0.0.2 <<<<this is traffic source address
sub:0000000000000006 2020-03-25 16:18:55 CST pps:300 pkts:12396
-
Determine the interface of the source address.
user@router> show route 48.0.0.2
inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
48.0.0.0/24 *[Direct/0] 00:04:52
> via xe-0/3/0.10
- After determining the interface information, check whether the peer interface IP MTU is set to a large value.
-
If it is set to a large or unequal value, it is better to set the same IP MTU on both sides or clear the DF bit.
-
Use the following example to change the IP MTU after checking the peer device and getting the correct value.
Example to change physical interface MTU:
user@router # set interfaces xe-0/3/0 mtu 1400
Example to change logical interface IP MTU:
user@router # set interfaces xe-0/3/0.10 family inet mtu 1400
-
If you cannot get the peer device interface value, and the DF bit can be cleared, use the following method to resolve this issue:
user@router # show firewall
family inet {
filter if-input {
interface-specific;
enhanced-mode;
term 1 {
then {
accept;
dont-fragment clear;
}
}
}
}
user@router # show interfaces xe-0/3/0.10
vlan-id 10;
family inet {
filter {
input if-input;
}
address 48.0.0.1/24;
}