Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Syslog message - DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception NDPv6:invalid-hop-limit exceeded its allowed bandwidth

0

0

Article ID: KB37134 KB Last Updated: 08 Jun 2021Version: 1.0
Summary:

This article explains the reason for the distributed denial of service (DDoS) violation syslog messages "protocol/exception NDPv6:invalid-hop-limit exceeded its allowed bandwidth" to be logged and clarifies that this log message can be safely ignored because there is no associated service impact.
 

Symptoms:

The following syslog message may be reported periodically for the Flexible PIC Concentrator (FPC):

Jun 5 05:22:44.058 2021 router-re0 jddosd[22634]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception NDPv6:invalid-hop-limit exceeded its allowed bandwidth at fpc 11 for 1 times, started at 2021-06-05 05:22:43 CST 

host@router-re0> show ddos-protection protocols violations 

Packet types: 216, Currently violated: 1 

Protocol Packet Bandwidth Arrival Peak Policer bandwidth 
group type (pps) rate(pps) rate(pps) violation detected at 
ndpv6 inval-hop 0 1 1 2021-06-05 05:44:24 SGT 
Detected on: FPC-11 
Cause:

Per RFC4861-Neighbor Discovery for IP version 6 (IPv6), the IP Hop Limit field has a value of 255, therefore, the IPv6 Neighbor Discovery packet could not possibly have been forwarded by a router.

If the system receives an IPv6 Neighbor Discovery packet with hop-limit <255, this packet will be discarded by DDoS because the default bandwidth/burst for the Neighbor Discovery Protocol invalid-hop-limit is "0". The ddos-protection bandwidth/burst for the Neighbor Discovery Protocol invalid-hop-limit is 0 pps, which means that when the device receives an IPv6 Neighbor Discovery packet with hop-limit <255, a DDoS violation is triggered and the packet is dropped.

user@router-re0> show ddos-protection protocols ndpv6 invalid-hop-limit
Currently tracked flows: 0, Total detected flows: 0
* = User configured value
Protocol Group: NDPv6
 
Packet type: invalid-hop-limit (NDPv6 with invalid hop limit)
Individual policer configuration:
Bandwidth:        0 pps              <<<--Default value
Burst:            0 packets          <<<--Default value
Priority:        Low
Recover time:    300 seconds
Enabled:          Yes
Bypass aggregate: No
<snip>
Solution:

No action is required for these log messages because there is no associated service impact. The system merely drops these kinds of error/crafted packets.

If you do not want the system to continuously report such DDoS violation logs, use the following configuration to disable the logging.

user@router# set system ddos-protection protocols ndpv6 invalid-hop-limit disable-logging

Alternatively, to find the source interface and source address information, you can enable SCFD (flow detection) as described in KB29408 - [MX/T] Configuring ddos-protection flow-detection to log interface and source address information.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search