Hey Karl, Do you have large connected subnet, largely empty?
I believe 'resolve' is packet needing ARP resolution. I.e. you got packet to subnet address 192.0.2.42, but it did not have MAC address, so it could not be forwarded, but had to be punted to software for ARP resolution. Because it involves software it is ratelimited. Be glad it exists, for longest time resolve packets hit the DDoS policer of their protocol so if someone was hitting 192.0.2.42 with BGP packets, it hit your BGP policer, and would bring your core iBGP down, and there was nothing you could do to protect from it (resolve is not subject to lo0, for obvious reasons). 4Mbps was all it took. On 21 November 2017 at 13:01, Karl Gerhard <[email protected]> wrote: > Hello > > our syslog is getting spammed with the following messages: > jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_SET: Protocol > resolve:ucast-v4 is violated at fpc 11 for 1389 times > jddosd[12168]: %DAEMON-4-DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol > resolve:ucast-v4 has returned to normal. Violated at fpc 11 for 1389 times > > What is puzzling is that there is barely any traffic going through that > machine (like 5 MBit/s). It seems like those messages are being triggered by > random noise from the internet just by announcing a single /18. > > Is that normal? Is there a way to gracefully handle those messages (i.e. save > them into another file) without losing important information? > > Regards > Karl > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp -- ++ytti _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
