Warning: Host-bound traffic for protocol/exception DHCPv4:bad-packets exceeded its allowed bandwidth

Posted byVyacheslav Leave a comment on Warning: Host-bound traffic for protocol/exception DHCPv4:bad-packets exceeded its allowed bandwidth

Once I noticed the following warnings in the Juniper MX204 logs:

show log jddosd | last 100

DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception  DHCPv4:bad-packets exceeded its allowed bandwidth at fpc 0 for 435 times, started at 2023-02-16 07:29:39 EET

DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception DHCPv4:bad-packets has returned to normal. Its allowed bandwith was exceeded at fpc 0 for 435 times, from 2023-02-16 07:29:39 EET to 2023-02-16 07:31:08 EET

By default, packets with a DHCP option length that is not equal to 1 are discarded as they are considered invalid, see RFC clause 9.6 www.rfc-editor.org/rfc/rfc2132#section-9.6

Let’s see the current violations and settings of DHCPv4:bad-packets:

show ddos-protection protocols violations
show ddos-protection protocols dhcpv4 bad-packets

  Packet type: bad-packets (DHCPv4 traffic with bad format)
    Individual policer configuration:
      Bandwidth:        0 pps
      Burst:            0 packets
      Priority:         Low
      Recover time:     300 seconds
      Enabled:          Yes

As you can see, “Bandwidth” for such packets is 0 pps, and rightly so, the fact that bad packets are dropped does not affect the operation of DHCP.

If the violation is still active, then check from which interface:

show ddos-protection protocols culprit-flows

To see the MAC addresses of users who send bad DHCP packets with a length that is not equal to 1, you can clear the current violations and look at DCHP traffic:

clear ddos-protection protocols dhcpv4 bad-packets states
monitor traffic interface et-0/0/2 no-resolve size 1500 detail matching "port 67 or 68"

In order not to see warnings about bad DHCP packets, I simply turned off their logging:

set system ddos-protection protocols dhcpv4 bad-packets disable-logging
commit comment "dhcpv4 bad-packets disable-logging"

As a last resort, if necessary, you can allow bad DCHP packets to pass through (but it is better to solve the problem with users’ devices, for example, update the user’s router firmware):

set system ddos-protection protocols dhcpv4 bad-packets bandwidth 1000
set system ddos-protection protocols dhcpv4 bad-packets burst 1000

See my other articles about Juniper

Leave a comment

Leave a Reply