DDOS_PROTOCOL_VIOLATION_SET: Protocol Rejectv6:aggregate is violated
Closed, ResolvedPublic

Description

Getting this syslog message on almost all the MX routers:

DDOS_PROTOCOL_VIOLATION_SET: Protocol Rejectv6:aggregate is violated

This happen when a packet is sent toward an IP that is part of an aggregate route, but not part of a more specific route.
For example port scan on whole ranges, etc...

The default behavior for the router is to reply to that request with a reject packet, which could lead to overwhelming the router if sent in high amount.

The recommended fix is to silently ignore it:

[edit routing-options aggregate]
+    defaults {
+        discard;
+    }
ayounsi created this task.Mon, Aug 28, 5:09 PM
Restricted Application added a project: Operations. · View Herald TranscriptMon, Aug 28, 5:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Mentioned in SAL (#wikimedia-operations) [2017-08-28T17:11:07Z] <XioNoX> pushing "aggregate defaults discard" to cr2-knams - T174364

Mentioned in SAL (#wikimedia-operations) [2017-08-28T17:59:43Z] <XioNoX> pushing "aggregate defaults discard" to *ams - T174364

Mentioned in SAL (#wikimedia-operations) [2017-08-28T20:53:30Z] <XioNoX> pushing "aggregate defaults discard" to all the cr* routers - T174364

ayounsi closed this task as Resolved.Mon, Aug 28, 9:01 PM