Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Syslog message - "DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception Sample:aggregate exceeded its allowed bandwidth"

0

0

Article ID: KB37066 KB Last Updated: 25 May 2021Version: 1.0
Summary:

This article explains the reason for distributed denial of service (DDoS) violation syslogs with the message "Host-bound traffic for protocol/exception Sample:aggregate exceeded its allowed bandwidth" being reported on MX Series routers.

Symptoms:

The following log messages are seen on the MX router:

May 21 23:45:14.595 2021  MX-router-re0 jddosd[22634]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  Sample:aggregate exceeded its allowed bandwidth at fpc 8 for 2 times, started at 2021-05-21 23:45:14 SGT
May 21 23:45:16.595 2021  MX-router-re0 jddosd[22634]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  Sample:aggregate exceeded its allowed bandwidth at fpc 5 for 1 times, started at 2021-05-21 23:45:15 SGT
May 21 23:45:18.595 2021  MX-router-re0 jddosd[22634]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  Sample:aggregate exceeded its allowed bandwidth at fpc 3 for 3 times, started at 2021-05-21 23:45:17 SGT

When you check for more logs in the log message file, you see that immediately before the message "Warning: Host-bound traffic for protocol/exception  Sample:aggregate exceeded its allowed bandwidth" for FPC8, FPC5, and FPC3, there is also a log message "Warning: Host-bound traffic for protocol/exception  Sample:pfe exceeded its allowed bandwidth" reported for each of the same FPC slots.

May 21 23:45:13.595 2021  MX-router-re0 jddosd[22634]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  Sample:pfe exceeded its allowed bandwidth at fpc 8 for 3 times, started at 2021-05-21 23:45:12 SGT
May 21 23:45:13.595 2021  MX-router-re0 jddosd[22634]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  Sample:pfe exceeded its allowed bandwidth at fpc 3 for 4 times, started at 2021-05-21 23:45:12 SGT
May 21 23:45:13.595 2021  MX-router-re0 jddosd[22634]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  Sample:pfe exceeded its allowed bandwidth at fpc 5 for 1 times, started at 2021-05-21 23:45:13 SGT
Cause:

As described in KB28320 - [MX] Log messages indicate sampling violation even when sampling is not configured on the router, if a "then log" is configured in a firewall filter and the sampled packets are above the DDoS threshold, you will see the following syslog message:

%DAEMON-4-DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  Sample:pfe exceeded its allowed bandwidth

Sample:pfe and Sample:aggregate are both Packet types under the same Protocol group Sample.

When you run the command show ddos-protection protocols sample parameters brief on the router, you see that the Protocol group "sample" includes the Packet "type," "aggregate," "pfe," and others. Also the Packet type "aggregate" is the sum of all other Packet types listed below.

If ddos-protection protocols sample is not configured, by default, the bandwidth value is 1000 for each Packet type, as shown below:

labroot@MX-re0> show ddos-protection protocols sample parameters brief   
Packet types: 6, Modified: 0
* = User configured value
 
Protocol    Packet      Bandwidth Burst  Priority Recover   Policer  Bypass FPC
group       type        (pps)     (pkts)          time(sec) enabled  aggr.  mod
sample      aggregate   1000      1000   --       300       yes      --     no
sample      syslog      1000      1000   Medium   300       yes      no     no
sample      host        1000      1000   Medium   300       yes      no     no
sample      pfe         1000      1000   Medium   300       yes      no     no
sample      tap         1000      1000   Medium   300       yes      no     no
sample      sflow       1000      1000   Medium   300       yes      no     no

So, with the default values shown above, if "Sample: pfe" reports that the allowed bandwidth has been exceeded, then "Sample:aggregate" should also report that the bandwidth has been exceeded with the log message "Host-bound traffic for protocol/exception Sample:aggregate exceeded its allowed bandwidth". 

This is why both log messages ("Sample:pfe" and "Sample:aggregate") are reported in syslog.

Solution:

No action is required in this case because this is not a DDoS attack, nor does it indicate an error condition. This log message is only for information purposes.

Customers can use the following command to check the ddos-protection bandwidth threshold. The command can also be used to display individual packet type information as shown below:

labroot@MX-re0> show ddos-protection protocols sample ?
Possible completions:
  <[Enter]>            Execute this command
  |                    Pipe through a command
  parameters           Show Sample protocol parameters
  statistics           Show Sample statistics and states
  violations           Show Sample traffic violations
  flow-detection       Show Sample flow detection parameters
  culprit-flows        Show Sample culprit flows
  aggregate            Show aggregate for all sampled traffic information
  syslog               Show Syslog sample traffic information
  host                 Show Host sample traffic information
  pfe                  Show PFE sample traffic information
  tap                  Show Tap sample traffic information
  sflow                Show Sflow sample traffic information

For information about Sample:aggregate, the command show ddos-protection protocols sample aggregate can be used:

labroot@MX-re0> show ddos-protection protocols sample aggregate               
Currently tracked flows: 0, Total detected flows: 0
* = User configured value
Protocol Group: Sample
 
  Packet type: aggregate (Aggregate for all sample traffic)
    Aggregate policer configuration:
      Bandwidth:        1000 pps
      Burst:            1000 packets
      Recover time:     300 seconds
      Enabled:          Yes
    System-wide information:
      Aggregate bandwidth is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
    Routing Engine information:
      Bandwidth: 1000 pps, Burst: 1000 packets, enabled
      Aggregate policer is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
        Dropped by individual policers: 0
    FPC slot 3 information:
      Bandwidth: 100% (1000 pps), Burst: 100% (1000 packets), enabled
      Hostbound queue 255
      Aggregate policer is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
        Dropped by individual policers: 0
        Dropped by flow suppression:    0
    FPC slot 12 information:
      Bandwidth: 100% (1000 pps), Burst: 100% (1000 packets), enabled
      Hostbound queue 255
      Aggregate policer is never violated
      Received:  0                   Arrival rate:     0 pps
      Dropped:   0                   Max arrival rate: 0 pps
        Dropped by individual policers: 0
        Dropped by flow suppression:    0
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search