Monday, May 27, 2013

Controlling large flows with OpenFlow

Performance aware software defined networking describes how sFlow and OpenFlow can be combined to create SDN applications such as  DDoS mitigationload balancing large flows, and packet capture. This article takes a deep dive, describing how to build a test bed for developing performance aware SDN applications. The test bed is used to build and test a basic DDoS mitigation application and demonstrate how quickly the controller can adapt the network changing traffic conditions.

Test bed

Mininet uses Linux containers and Open vSwitch to allow realistic virtual networks of hosts and switches to be constructed using a virtual machine. Mininet is widely used by SDN researchers since it allows anyone with a laptop to build realistic network topologies and experiment with OpenFlow controllers and SDN applications.

The Floodlight OpenFlow Controller was selected for the test bed because its default behavior is to provide basic connectivity which can be selectively overridden using the Static Flow Pusher API. This separation allows simple performance optimizing applications to be developed since they don't need to concern themselves with maintaining connectivity and are free to focus on implementing optimizations. The Static Flow Pusher provides an example of hybrid OpenFlow (in which OpenFlow is used to selectively override forwarding decisions made by the normal switch forwarding logic). This makes it straightforward to move applications from the test bed to physical switches that support hybrid OpenFlow control. Finally, Floodlight is one of the most mature platforms used in production settings, so any applications developed on the test bed can be easily moved into production.

There are a number of ways to get started, both the Mininet and Floodlight projects distribute a pre-built virtual machine (VM) appliance (the Floodlight VM includes Mininet). Alternatively, it is straightforward to build an Ubuntu 13.04 virtual machine and install Mininet using apt-get (this is the route the author took to build a Mininet VM on a XenServer pool).

Once you have a system with Mininet and Floodlight installed, download and install sFlow-RT:
wget http://www.inmon.com/products/sFlow-RT/sflow-rt.tar.gz
tar -xvzf sflow-rt.tar.gz
And finally, this example will be using node.js as the application language. Node.js is well suited for implementing SDN applications. Its asynchronous IO model supports a high degree of parallelism, allowing the SDN application to interact with multiple controllers, monitoring systems, databases etc. without blocking, resulting in a fast and consistent response time that makes it well suited for control applications.

The following command installs node.js:
sudo apt-get install nodejs
For development, it is helpful to run each tool in a separate window so that you can see an logging messages (in a production setting processes would be daemonized).

1. Start Floodlight
cd floodlight
./floodlight.sh
2. Start Mininet, specifying Floodlight as the controller
sudo mn --controller=remote,ip=127.0.0.1
*** Creating network
*** Adding controller
*** Adding hosts:
h1 h2 
*** Adding switches:
s1 
*** Adding links:
(h1, s1) (h2, s1) 
*** Configuring hosts
h1 h2 
*** Starting controller
*** Starting 1 switches
s1 
*** Starting CLI:
mininet>
3. Configure sFlow monitoring on each of the switches:
sudo ovs-vsctl -- --id=@sflow create sflow agent=eth0  target=\"127.0.0.1:6343\" sampling=10 polling=20 -- -- set bridge s1 sflow=@sflow
4. Start sFlow-RT
cd sflow-rt
./start.sh
By default, Floodlight provides a basic layer 2 switching service, ensuring connectivity between hosts connected to the OpenFlow switches. Connectivity can be verified using the Mininet command line:
mininet> h1 ping h2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_req=1 ttl=64 time=36.7 ms
64 bytes from 10.0.0.2: icmp_req=2 ttl=64 time=0.159 ms
There are many options for using the Mininet test bed, previous articles on this blog have used Python to develop applications and different SDN controllers can be installed. For example, the PyTapDEMon series of articles describes the uses Python, POX (an OpenFlow controller written in Python) and Mininet to recreate the Microsoft DEMon SDN packet broker.

DDoS mitigation application

The following node.js script is based on the Python script described in Performance Aware Software Defined Networking.
var fs = require("fs");
var http = require('http');

var keys = 'inputifindex,ethernetprotocol,macsource,macdestination,ipprotocol,ipsource,ipdestination';
var value = 'frames';
var filter = 'sourcegroup=external&destinationgroup=internal&outputifindex!=discard';
var thresholdValue = 100;
var metricName = 'ddos';

// mininet mapping between sFlow ifIndex numbers and switch/port names
var ifindexToPort = {};
var nameToPort = {};
var path = '/sys/devices/virtual/net/';
var devs = fs.readdirSync(path);
for(var i = 0; i < devs.length; i++) {
  var dev = devs[i];
  var parts = dev.match(/(.*)-(.*)/);
  if(!parts) continue;

  var ifindex = fs.readFileSync(path + dev + '/ifindex');
  var port = {"switch":parts[1],"port":dev};
  ifindexToPort[parseInt(ifindex).toString()] = port;
  nameToPort[dev] = port;
}

var fl = { hostname: 'localhost', port: 8080 };

var groups = {'external':['0.0.0.0/0'],'internal':['10.0.0.2/32']};
var rt = { hostname: 'localhost', port: 8008 };
var flows = {'keys':keys,'value':value,'filter':filter};
var threshold = {'metric':metricName,'value':thresholdValue};

function extend(destination, source) {
  for (var property in source) {
    if (source.hasOwnProperty(property)) {
      destination[property] = source[property];
    }
  }
  return destination;
}

function jsonGet(target,path,callback) {
  var options = extend({method:'GET',path:path},target);
  var req = http.request(options,function(resp) {
    var chunks = [];
    resp.on('data', function(chunk) { chunks.push(chunk); });
    resp.on('end', function() { callback(JSON.parse(chunks.join(''))); });
  });
  req.end();
};

function jsonPut(target,path,value,callback) {
  var options = extend({method:'PUT',headers:{'content-type':'application/json'}
,path:path},target);
  var req = http.request(options,function(resp) {
    var chunks = [];
    resp.on('data', function(chunk) { chunks.push(chunk); });
    resp.on('end', function() { callback(chunks.join('')); });
  });
  req.write(JSON.stringify(value));
  req.end();
};

function jsonPost(target,path,value,callback) {
  var options = extend({method:'POST',headers:{'content-type':'application/json'},"path":path},target);
  var req = http.request(options,function(resp) {
    var chunks = [];
    resp.on('data', function(chunk) { chunks.push(chunk); });
    resp.on('end', function() { callback(chunks.join('')); });
  });
  req.write(JSON.stringify(value));
  req.end();
}

function lookupOpenFlowPort(agent,ifIndex) {
  return ifindexToPort[ifIndex];
}

function blockFlow(agent,dataSource,topKey) {
  var parts = topKey.split(',');
  var port = lookupOpenFlowPort(agent,parts[0]);
  if(!port || !port.dpid) return;
 
  var message = {"switch":port.dpid,
                 "name":"dos-1",
                 "ingress-port":port.portNumber.toString,
                 "ether-type":parts[1],
                 "protocol":parts[4],
                 "src-ip":parts[5],
                 "dst-ip":parts[6],
                 "priority":"32767",
                 "active":"true"};

  console.log("message=" + JSON.stringify(message));
  jsonPost(fl,'/wm/staticflowentrypusher/json',message,
      function(response) {
         console.log("result=" + JSON.stringify(response));
      });
}

function getTopFlows(event) {
  jsonGet(rt,'/metric/' + event.agent + '/' + event.dataSource + '.' + event.metric + '/json',
    function(metrics) {
      if(metrics && metrics.length == 1) {
        var metric = metrics[0];
        if(metric.metricValue > thresholdValue
           && metric.topKeys
           && metric.topKeys.length > 0) {
            var topKey = metric.topKeys[0].key;
            blockFlow(event.agent,event.dataSource,topKey);
        }
      }
    }
  );  
}

function getEvents(id) {
  jsonGet(rt,'/events/json?maxEvents=10&timeout=60&eventID='+ id,
    function(events) {
      var nextID = id;
      if(events.length > 0) {
        nextID = events[0].eventID;
        events.reverse();
        for(var i = 0; i < events.length; i++) {
          if(metricName == events[i].thresholdID) getTopFlows(events[i]);
        }
      }
      getEvents(nextID);  
    }
  );
}

// use port names to link dpid and port numbers from Floodlight
function getSwitches() {
  jsonGet(fl,'/wm/core/controller/switches/json',
    function(switches) { 
      for(var i = 0; i < switches.length; i++) {
        var sw = switches[i];
        var ports = sw.ports;
        for(var j = 0; j < ports.length; j++) {
          var port = nameToPort[ports[j].name];
          if(port) {
            port.dpid = sw.dpid;
            port.portNumber = ports[j].portNumber;
          }
        }
      }
      setGroup();
    }
  );
}

function setGroup() {
  jsonPut(rt,'/group/json',
    groups,
    function() { setFlows(); }
  );
}

function setFlows() {
  jsonPut(rt,'/flow/' + metricName + '/json',
    flows,
    function() { setThreshold(); }
  );
}

function setThreshold() {
  jsonPut(rt,'/threshold/' + metricName + '/json',
    threshold,
    function() { getEvents(-1); }
  ); 
}

function initialize() {
  getSwitches();
}

initialize();
The script should be fairly self explanatory to anyone familiar with JavaScript. The asynchronous style of programming in which the response to each call is handled by a callback function may be unfamiliar to non-Javascript programmers, but it is widely used in JavaScript and is the keys to node.js's low latency and ability to handle large numbers of concurrent requests. The sFlow-RT REST API calls and the basic logic for this script are explained in the Performance aware software defined networking article.

There are a couple of topics addressed in the script that warrant mention:

The OpenFlow protocol has its own way of identifying switches and ports on the network and an SDN application needs to be able to translate between the performance monitoring system's model of the network (identifying switches by their management IP addresses and ports by SNMP ifIndex numbers) and OpenFlow identifiers. Currently, there is no standard way to map between these two models and this deficiency needs to be addressed by the Open Networking Foundation, either through extensions to the configuration or OpenFlow protocols.

However, this script shows how to build these mappings in a Mininet environment by examining files in the /sys/devices/virtual/net directory and combining the information with data about the switches retrieved using Floodlight's /wm/core/controller/switches/json REST API call.

Finally, the sFlow data from Open vSwitch includes dropped packets. The sFlow-RT filter expression outputifindex!=discard is used to detect flows that aren't being blocked.

Results

This example uses a Ping Flood to demonstrate a basic denial of service attack.

The following Mininet command opens an terminal window connected to host h1:
mininet> xterm h1
Type the following command in the terminal to generate a ping flood between h1 and h2:
# ping -f 10.0.0.2

The sFlow-RT chart shows that without mitigation the ping flood generates a sustained traffic rate of around 6 thousand packets per second.

Next stop the ping flood attack and let the traffic settle down.

The following command runs the denial of service mitigation script:
nodejs mininet.js
Now start the ping flood again and see what happens.
The chart shows that the controller is able to respond quickly when the traffic flow exceeds the defined threshold of 100 packets per second. The mitigation control is applied within a second and instead of reaching a peak of 6 thousand packets per second, the attack is limited to a peak of 130 packets per second.

The ping flood attack is quickly detected by sFlow-RT, which notifies the mitigation application. The mitigation application retrieves details of the attack from the sFlow-RT in order to construct the following message, which is sent to the Floodlight's Static Flow Pusher:
message={"switch":"00:00:00:00:00:00:00:01","name":"dos-1","ether-type":"2048","protocol":"1","src-ip":"10.0.0.1","dst-ip":"10.0.0.2","priority":"32767","active":"true"}
The Floodlight controller then uses OpenFlow to push the rule to Open vSwitch which immediately starts dropping packets.

Note: The mitigation script doesn't automatically remove the control once the attack has been stopped, so the following command is needed to clear the controls on Floodlight:
curl http://localhost:8080/wm/staticflowentrypusher/clear/all/json

While far from a complete application, this example demonstrates that the sFlow and OpenFlow standard can be combined to build fast acting performance aware SDN applications that address important use cases, such as DDoS mitigation, large flow load balancing, multi-tenant performance isolation, traffic engineering, and packet capture. The Mininet platform provides a convenient way to develop, test and share applications addressing these use cases.

93 comments:

  1. This is great!! is there any kind of sFlow documentation for understanding the options we can use ? I am quite interested to dig deeper.

    Thanks in advance.

    ReplyDelete
    Replies
    1. The data exported by sFlow agents is described at sFlow.org: Specifications. Documentation for the sFlow-RT analyzer is included in the web interface of the software and there are a number of example on this blog. The best starting point is probably Performance aware software defined networking. Please join the sFlow-RT group to ask questions, share ideas and make suggestions.

      Delete
  2. I have the problem that I want to implement ddos like above, so I also copy and paste code to type nodejs mininet.js,but this is the error message, is the nodejs version too old?(v0.6.19)

    events.js:48
    throw arguments[1]; // Unhandled 'error' event
    ^
    Error: connect ECONNREFUSED
    at errnoException (net.js:670:11)
    at Object.afterConnect [as oncomplete] (net.js:661:19)

    ReplyDelete
    Replies
    1. Try using the version of the code included with the sFlow-RT download (extras/mininet.js).

      A connection refused error suggests that you have a firewall or some other setting that is blocking http connections to sFlow-RT (tcp port 8008) or FloodLight (tcp port 8080). Try connecting to both services using cURL to troubleshoot the connectivity issue.

      Delete
    2. thank you, I resolve this problem~
      and I have an other question that what mean above picture charts flow 7K, it's mean 7Kbyte? because I use mininet and type Iperf h1 h2 it were show about 278Mbits/sec but it's show 24K at the charts flow ,sorry I don't really know what it mean ~
      I very appreciate your reply !!!

      Delete
    3. sFlow-RT reports rates. In the chart above, the flow definition has value=frames. The chart displays frames/second, e.g. 7K value corresponds to 7K frames/second.

      If you ran this script in your environment (with the same flow definitions), then the 24K represents 24K frames / second. If you want to look at bytes /second, then set value='bytes' (you will then need to multiply the values by 8 to get bits /second).

      Delete
    4. thank you !! I know what it mean!!! I am very grateful to you~

      Delete
  3. I am trying to reproduce this experiment. I am using the scripts from extras. My nodejs version is v.0.6.12. I start the mininet.js script with: "node mininet.js". I can see all other metrics in the metrics menu, except the ddos one. Other metrics get traffic information. I appreciate any suggestions

    ReplyDelete
  4. The API for defining groups and using them in flow definitions has changed - try extras/mininet.js.

    ReplyDelete
  5. how do you display the sflow rt chart ?

    ReplyDelete
    Replies
    1. The /metric/ALL/ddos/html page in the sFlow-RT web interface trends the top ddos flow metric. This is a fairly old post, there are many newer examples that you might want to look at, see sFlow-RT

      Delete
  6. I did all the steps for DDoS generation. To see the DDoS traffic, when I type 10.0.057:8008/metric/ALL/ddos/html, I could not see the large flows. It would take me to the domain localhost:8008/metric/ALL/ddos/html. However, when I go to localhost:8008/metric/ALL/flows/html, I could see the flows of order 7M and above. I'm not sure what am I missing to see the ddos chart. Can you help me see the chart?

    ReplyDelete
    Replies
    1. The sFlow-RT APIs have changed since this article was published (in particular the way that filtering on address groups is defined). Try modifying the script with filter = 'outputifindex!=discard';

      Delete
    2. Hi Peter, I ran the mitigation script (mininet.js given above) after topology creation, sflow monitoring followed by running start.sh. The flow traffic were of the order of 450 frames/sec and it would not decrease. Is there anything to be modified in the script?
      Thanks.

      Delete
    3. Are you looking at the ddos metric (the one with filter:outputifindex!=discard)? Open vSwitch will report on traffic that dropped and so you need the filter to separate dropped from forwarded traffic and see the effect of the filtering action.

      Delete
    4. This comment has been removed by the author.

      Delete
    5. I applied the filter outputifindex!=discard in the mitigation script and now able to see ddos and flows metric. However the traffic of both the metric appears to be similar.

      Delete
  7. This comment has been removed by the author.

    ReplyDelete
  8. Hi,

    Does the mitigation script run in stand alone OS rather than a virtual machine environment?

    Thanks

    ReplyDelete
  9. Hi...
    When I type URL like (localhost:8008/metric/ALL/ddos/html) in sFLow-RT, Graph plot is not showing..

    ReplyDelete
    Replies
    1. The syntax of the groups function has changed. sFlow-RT can now have multiple named groups, i.e. /group/{name}/json

      When referring to groups in a flow definition (either in a filter or as a flow key), the syntax has changed. For example, instead of sourcegroup you would use group:insource:{name}

      Check the documentation under the sFlow-RT RESTflow tab and more recent examples on this blog for additional changes.

      Delete
  10. Hi Peter, I'm interesting with SDN and ur posting help me much. But I have many trouble when I follow ur step. May I have ur contact for fast response? I need to build a SDN network for DDOS mitigation.

    I,m confuse with sflow.port in /sflow-rt/start.sh, is that same with controller port cause I use port 6633 for controller.

    Thank u for answer

    ReplyDelete
    Replies
    1. The sFlow protocol runs over UDP, using destination port 6343 by default. sFlow and OpenFlow are separate protocols: sFlow provides measurements and OpenFlow provides control.

      Delete
  11. sorry to ask you again, i try to run your code mininet.js in my computer but i get error like this:

    for(var j = 0; j < ports.length; j++) {
    ^
    TypeError: Cannot read property 'length' of undefined

    do you know how to solved this problem?

    In another computer i run the same program but i get different error like this:
    events.js : 72
    throw er; // Unhandle 'error' event
    ^
    Error: connect ECONNREFUSED

    sorry but this problem make me so confuse. Thanks for response sir

    ReplyDelete
    Replies
    1. The first error suggests that the call to Floodlight's REST API (/wm/core/controller/switches/json) has changed or is failing. The connection refused error means that sFlow-RT, or Floodlight is not running (or there is a firewall) preventing successful REST calls.

      Delete
    2. This comment has been removed by the author.

      Delete
    3. Dear Peter,

      Thank u for ur help. I know now why i get to many errors. Before, i used floodlight version 1.0 i think that is the mistake, cause REST API version 1.0 and REST API version 0.90 are different and your code base on REST API floodlight version 0.90.

      i have changed the var filter = 'outputifindex!=discard'; too for make it run well.

      Delete
  12. This comment has been removed by the author.

    ReplyDelete
  13. This comment has been removed by the author.

    ReplyDelete
  14. Hi, I have tried this article by mininet+floodlight and running well. it was great.
    .
    but, when i tried your script on openwrt+floodlight, nothing happen when ddos attacking.
    please help me. thanks.

    ReplyDelete
    Replies
    1. Great to hear you got it working with Floodlight. I am sorry I can't be of any help with OpenDaylight - the API's have changed and I don't have any current examples.

      Delete
    2. sorry, im using floodlight too, mr Peter.
      .
      i installed openwrt on TP-Link 1043ND hardware version 2.0, and controlled it by floodlight version 0.90.
      the traffic has been graphed in sflow, but when i run your script while ddos attacking, nothing happen.
      .
      for our information, openwrt is a firmware for switch real device, https://openwrt.org/.
      i change firmware TP-Link into this openwrt so i can use openvswitch protocol with it to connect to floodlight controller.
      .
      Thanks.

      Delete
    3. i have same case as ikhwanul.

      i installed openwrt on tp-link 1043ND, floodlight & sflow is running well.

      but when i run this mininet.js, nothing happen.

      what should i do?

      Delete
    4. Did you update the script? The script as published uses old sFlow-RT API's and won't work - you need to change the way the address groups are installed and applied, i.e. change:

      'sourcegroup=external&destinationgroup=internal&outputifindex!=discard'

      to

      'group:insource:ddos=external&group:ipdestination:ddos=internal&outputifindex!=discard'

      and change the URL to install the groups from:

      /group/json

      to:

      /group/ddos/json

      Documentation and examples are at sFlow-RT.com

      Delete
  15. Hi Peter,
    Can I use your code for my thesis? Is it opensource material?
    Thanks in advance.

    ReplyDelete
    Replies
    1. You are welcome to use code published on the blog in your thesis.

      Delete
  16. After I run the mininet.js, i am getting following eror:
    ubuntu@ip-172-31-42-72:~$ nodejs mininet.js

    /home/ubuntu/mininet.js:145
    for(var j = 0; j < ports.length; j++) {
    ^
    TypeError: Cannot read property 'length' of undefined
    at /home/ubuntu/mininet.js:145:33
    at IncomingMessage. (/home/ubuntu/mininet.js:50:33)
    at IncomingMessage.EventEmitter.emit (events.js:117:20)
    at _stream_readable.js:920:16
    at process._tickCallback (node.js:415:13)
    Please help.

    ReplyDelete
    Replies
    1. The Floodlight REST API has changed since this article was published. The error message suggests that the /wm/core/controller/switches/json REST call / response has changed.

      Delete
  17. Thank you, Peter.
    I got it run on floodlight vm installed on virtualbox, however, i am still getting same error message on EC2 ubuntu instance.

    ReplyDelete
  18. Hello Peter,

    I am having the same problem as Mutalip. The Floodlight REST API call hasn't changed in the floodlight documentation (i.e. /wm/core/controller/switches/json) so I don't think the problem is there but I am at a lost trying to discover the reason the extras/mininet.js script isn't running. Can you please help?

    k/r
    Brian

    ReplyDelete
    Replies
    1. The extras/mininet.js script is incompatible with Floodlight. The script is used with sFlow-RT's internal OpenFlow controller, see Hybrid OpenFlow ECMP testbed for instructions on how to use the script.

      Delete
  19. Hi, Peter. How does the sFlow-RT calculate the threshold?? any formula involved?? I am confused with the article in http://blog.sflow.com/2013/06/large-flow-detection-script.html ..... How does the sflow-rt process flow in bytes from localhost:8008/dump/ALL/total/json and compare with threshold defined??
    Kindly advise..thanks

    ReplyDelete
    Replies
    1. The threshold is set to a packets per second limit. The limit expresses operational policy (i.e. an administratively permitted packet rate per destination IP address). There is no formula being used - the value is set based on network capacity and administrative concerns.

      sFlow-RT applies threshold to each metric instance as it is updated. The /dump command gets the current value of every instance of the metric. You could poll and apply the threshold, but you wouldn't get the same speed of response.

      Writing Applications provides an overview of the sFlow-RT APIs and how they link together.

      Delete
    2. Thanks for your reply.. let me explain my scenario..
      If I define 100000Bytes as threshold to differentiate between large flow and small flow . When i perform iperf between h1(server) and h3 (client) ,the transfer size falls between 100 and 400 MBytes and bandwidth is between 1-3 GBits/sec... However, the threshold event from localhost:8008/events/html shows different event IDs with constant value of 101200 bytes that exceeded the pre-defined threshold value. My question is how does sFlow-RT gets 101200?

      As /dump command gets current value of every instance, so each flow captured have different values. How does sFlow-RT analyse these values and compare with threshold defined?

      Kindly advise..Thanks
      ..

      Delete
    3. The 101200 bytes/second value reported with the event is the computed value of the metric at the moment data was received that drove the metric across the threshold.

      sFlow-RT checks thresholds each time it updates a metric value. The values shown using the /dump command were all checked at the time they were updated - reading them later will show different values.

      If you are interested in large flow detection then the article Large flow detection script

      Delete
  20. how do i display sflow-rt graph for ddos metric?
    localhost:8008/metric/ALL/ddos/html does not exist.
    Am i missing something?

    ReplyDelete
    Replies
    1. The flow hasn't been installed. Have you updated the flow definition to use the group:insource:ddos syntax? See previous comments.

      Delete
  21. Hi Peter,
    How can we set the threshold as bytes/sec instead of packets per second?

    Thanks,

    ReplyDelete
    Replies
    1. Change the value parameter to bytes, i.e.
      var value = 'bytes';
      and the thresholdValue will be applied to the bytes/second reported for the flow.

      Delete
  22. Hi Peter,

    I am trying to collect data to calculate the controller bandwidth utilization. Floodlight has API to show traffic on each port. But, How do I know which port is connected to controller?
    127.0.0.1:8080/wm/statistics/bandwidth///json.

    Does sFlow provide similar API?
    Thank you



    ReplyDelete
    Replies
    1. You can get the utilization of all the ports using sFlow-RT:
      http://10.0.0.66:8008/table/ALL/ifname,ifinutilization,ifoututilization/json

      If you know the specific port connected to the controller (if controller is connected to sFlow agent 10.0.0.233 on port with ifIndex 3):
      http://10.0.0.66:8008/table/10.0.0.233/3.ifinutilization,3.ifoututilization/json

      You could also define a flow to track OpenFlow traffic (TCP port 6633):
      http://sflow-rt.com/define_flow.php

      Delete
  23. How do i know which port is connected to controller? For example, i created the topology as following:
    sudo mn --controller,ip=127.0.0.1,port=6653 --switch ovsk,protocols=openflow13


    ReplyDelete
    Replies
    1. None of the Mininet switch ports are connected to the controller in your example. The OpenFlow connection between Open vSwitch and the OpenFlow controller is effectively "out of band" and doesn't cross any of the switches in the Mininet network (and is invisible to OpenFlow / sFlow monitoring of the switches).

      Delete
  24. How do i connect specific switch port to controller? Should i use different switch?

    ReplyDelete
    Replies
    1. I don't know if it is possible. You might want to ask the question on the Mininet mailing list.

      Delete
  25. This comment has been removed by the author.

    ReplyDelete
  26. Hi Peter,

    Can we count packet-in and packet out message for calculate controller bandwidth utilization?

    Thank you,

    ReplyDelete
  27. hi, could you explain? why 100?
    .
    "var thresholdValue = 100;"

    ReplyDelete
    Replies
    1. There is nothing special about the value of 100, the small threshold value was chosen so that it would reliably trigger an event in the Mininet example.

      Delete
    2. 3. Configure sFlow monitoring on each of the switches:
      sudo ovs-vsctl -- --id=@sflow create sflow agent=eth0 target=\"127.0.0.1:6343\" sampling=10 polling=20 -- -- set bridge s1 sflow=@sflow
      .
      could you explain? why we configure sampling=10 and polling=20. thank you very much.

      Delete
    3. The following article explains the sampling settings for Mininet:
      Large flow detection

      You can use the sflow.py script to automatically configure Open vSwitch sFlow settings:
      Mininet flow analytics

      And there is a dashboard that you might find useful:
      Mininet dashboard

      Delete
  28. Hi peter,

    Before i have tried this article is running well, but suddenly my laptop bluescreen and when i power on again the ddos protection didnt work. The problem is the sflow still count large flow altough i have launch mininet.js

    I have several test from change the script and change topology, but the problem still same. Should i reinstall my server?

    Regards,

    ReplyDelete
  29. Hi Peter,

    I adapted your script for ONOS controller. It works fine. What I want to do is to set a threshold for the number of different 'ipsource's (I want to detect distributed DoS atack). I tried to use value = 'count:ipsources' unfortunately this is not working. Actually I couldn't manage to use count function for any flow key. Can you suggest a way to put count function into use?

    Best regards,

    Sinan Tatlicioglu

    ReplyDelete
    Replies
    1. ipsources isn't a flow key. count:ipsource should work.

      Delete
    2. Hi Peter,

      Sorry for mis-typing. the fact is that whatever flow key I use, count function doesn't work. For this case, yes, count:ipsource doesn't work either. In my scenario I use hping3 in random source mode to simulate different ip sources and using wireshark I check out that there are hundreds of different ip sources but the metric value set as 'count:ipsource' never gets beyond 1. Maybe I am doing something wrong or maybe the count function doesn't work (I suspect this is the case because it works none of the flow keys I use, for example count:bytes never works). Please can you check and share if you find any piece of working script that can count any flow key? or can you confirm that there is something wrong with the count function?

      thanks,

      Sinan Tatlicioglu

      Delete
    3. Hi Peter,

      please cancel my previous message. I can use the count function now. my mistake was not to use "flow/json" instead of "flows/json".

      Thanks for your attention and the marvelous sflow-rt :)

      Delete
  30. Hello Peter,

    It is very useful blog.I am trying to implement same script using pox controller but i am getting error:
    net.js:639
    throw new TypeError('invalid data');
    ^

    TypeError: invalid data
    at WriteStream.Socket.write (net.js:639:11)
    at ClientRequest. (/home/sdx/sflow-rt/extras/mininet.js:47:20)
    at ClientRequest.g (events.js:273:16)
    at emitOne (events.js:90:13)
    at ClientRequest.emit (events.js:182:7)
    at HTTPParser.parserOnIncomingClient [as onIncoming] (_http_client.js:469:21)
    at HTTPParser.parserOnHeadersComplete (_http_common.js:103:23)
    at Socket.socketOnData (_http_client.js:359:20)
    at emitOne (events.js:90:13)
    at Socket.emit (events.js:182:7)
    Can you please help me?
    I am using pyretic to run my pox controller using policy.

    Thank you,

    ReplyDelete
    Replies
    1. Do you have the script modified for POX controller?

      Delete
  31. Hi Peter,
    can we use id pf request dns as key flow for monitoring dns traffic?
    Thank you,

    ReplyDelete
    Replies
    1. Yes, the sFlow-RT allows the dnsid as a flow key.

      Delete
    2. so firt i wanna thank you for the answer,
      why you didnt use openflow instead of sflow for monitoring ,there are any advantages for using this tools in monitoring ?
      and i wanna ask you if you have any article or code explain how we can use sflow to manipulate dns request/response (store ID & doing correspondence between request/response)

      Delete
    3. sFlow is a measurement technology and cannot manipulate dns requests/responses. The article, OpenFlow and sFlow, describes how sFlow and OpenFlow provide complementary visibility and control capabilities that can be combined to build control loops.

      Delete
    4. so do you have any idea how we can manipulate dns requests/responses? in such a way after receiving input data from sflow doing some manipulation in traffic dns?
      a second question is that if Can be needed in db to store sflow's input data in order to do some manipulation?

      Delete
    5. You could program an OpenFlow rule to intercept all the DNS requests and process them on your controller (e.g.
      HP Network Protector SDN Application - Introduction of the HP Network Protector Solution
      ).

      You can use sFlow-RT to profile DNS activity and push controls to your SDN controller, for example, DNS amplification attacks

      Delete
    6. First thank you for your help,
      so there are any idea how to process DNS request and response without redirect all trafic to controller because if we use this method There is a risk of generating an attack on the controller?

      Delete
    7. Hi Peter,
      you told me that sFlow-RT allows the dnsid as a flow key,but i didnt find it in "http://sflow-rt.com/define_flow.php#keys",plz if can you confirm if sFlow-RT use dnsid,Thanks a lot

      Delete
    8. The dnsid flow key was missing from the documentation. I have added it. Thanks.

      Delete
  32. sir, i am getting error while giving floodlight as controller, can u help me in this

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
  33. Hi Peter,
    Can we monitor more than one switch?

    Thank you,
    Mutalip

    ReplyDelete
    Replies
    1. Yes, you can monitor multiple switches.

      The following article describes a simpler method of configuring sFlow on all the Mininet switches and posting topology to sFlow-RT Mininet flow analytics. You might also find the Mininet dashboard useful.

      Delete
  34. http://blog.sflow.com/2013/01/performance-aware-software-defined.html
    I have done it by using this way.
    $python ddos.py
    mininet-> h1 ping -f h2
    But there is no data in http://192.168.0.185:8008/metric/ALL/ddos/html.

    ReplyDelete
    Replies
    1. The sFlow-RT APIs have changes since this, and the article you referenced, were published. The API changes are discussed in the comments on both articles.

      The main changes relate to the way address groups are defined and referenced in flow definitions.

      Delete
  35. Hi sir,

    How can i get each delta T a count number of packets per ipDestination using API REST; I need a periodic stream of data per ipDestination like that:
    T0:{ipDestination :"X0",number of packets:"N0"},T1:{ipDestination :"X0",number of packets:"N1"}

    Thanks in advance

    ReplyDelete
    Replies
    1. First, use HTTP PUT /flow/destinationframes/json to define a flow called 'destinationframes' with {keys:'ipdestination',value:'frames'}. Next, periodically query the /activeflows/ALL/destinationframes/json. The values returned by the query are in frames/second, so multiply by the polling interval to get total frames in the interval. See Writing Applications for more information.

      Delete
  36. i tried the command nodejs mininet.js but it seems not found

    module.js:328
    throw err
    cannot find module /home/test/mininet.js

    ReplyDelete
  37. Can this be made to work with POX controller?

    ReplyDelete
  38. hi Peter,
    how do i implement this " Open vSwitch will report on traffic that dropped and so you need the filter to separate dropped from forwarded traffic and see the effect of the filtering action." I already applied the filter outputifindex!=discard in the mitigation script and now able to see ddos and flows metric. However the traffic of both the metric appears to be similar.

    ReplyDelete
  39. Hello, I updated the script with the most resent API changes, I ran the ddos and it appeared on http://localhost:8008/metric/all/ddos/html then I ran the script and the mitigation was successful. The problem is that I can't repeat the simulation. Even after this command: curl http://localhost:8080/wm/staticflowentrypusher/clear/all/json
    Can you please tell me where I'm wrong, and how to make it work again?

    ReplyDelete
    Replies
    1. This is a very old article and I haven't used Floodlight or nodejs since writing it. You need to wait a period after stopping the simulated attack for sFlow-RT threshold and flow state to clear (1 minute should do it).

      There are many more recent DDoS articles that you might want to look at. The Ryu example is very similar to this article.

      Delete
    2. How did you update the script with the most recent API changes? Please help as the DOS attack is being detected by sflow-RT but the script is not working stating the below error.

      /home/mininet/floodlight/sflow-rt/extras/mininet.js:149
      for(var j = 0; j < ports.length; j++) {
      ^

      TypeError: Cannot read property 'length' of undefined
      at /home/mininet/floodlight/sflow-rt/extras/mininet.js:149:34
      at IncomingMessage. (/home/mininet/floodlight/sflow-rt/extras/mininet.js:48:33)
      at IncomingMessage.emit (events.js:203:15)
      at endReadableNT (_stream_readable.js:1145:12)
      at process._tickCallback (internal/process/next_tick.js:63:19)

      Delete
    3. I haven't looked at Floodlight or nodejs since writing this article so I can't be of much help. There are many more recent DDoS articles you might want to look at. The Ryu example is very similar to this one.

      Delete