I don't know how many of you configured local attack defense on your boxes, but i've discovered an interesting case. If you set auto-defend threshold to a small value - like 16 pps (default is 128 pps) you will start to receive frequently this kind of logs:
User attack occurred.......(AttackPackets=16 packets per second)
In addition ttl expired counter is increasing every time an attack occured.
So I decided to capture the packets using flow mirroring every time when attack ocurred.
In wireshark can only find OSPF packets - keep alive, lsa update and lsa ack. So i concluded that everytime when ospf lsa-update/ack events occurs logs will spot them as attack. When i modified to 128, no attack event occured.
PIM, OSPF or LDP packets have ttl field = 1 when reach peer device, so will be treated first as ttl-expired packets, but after will be processed by protocol stack after ttl check.