tag:blogger.com,1999:blog-1978652979840829013.post1507553991795493806..comments2024-02-13T07:05:41.069-08:00Comments on sFlow: Cumulus Linux 3.4 REST APIPeterhttp://www.blogger.com/profile/00856599914190257147noreply@blogger.comBlogger25125tag:blogger.com,1999:blog-1978652979840829013.post-24169936543967207812017-11-29T10:55:55.587-08:002017-11-29T10:55:55.587-08:00Thanks. This article is on my personal blog. There...Thanks. This article is on my personal blog. There is a LinkedIn link at the bottom of the right hand side column for personal information.Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-40953036309566166842017-11-29T09:27:18.123-08:002017-11-29T09:27:18.123-08:00okay, I'd like to acknowledge your help in my ...okay, I'd like to acknowledge your help in my Master thesis, do you have an official website or details that I can acknowledge you through?Networkerhttps://www.blogger.com/profile/08722271697048672229noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-87738210783148323312017-11-27T20:43:34.662-08:002017-11-27T20:43:34.662-08:00Data source 3 is the interface with SNMP ifIndex=3...Data source 3 is the interface with SNMP ifIndex=3. <br /><br />The problem with resetting the NFLOG rule each time CumulusVX adds/removes an ACL isn't a problem with real hardware (since packet sampling is performed by the ASIC and doesn't involve iptables). I don't have a fix for CumulusVX.Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-66131770513792017612017-11-20T09:35:28.612-08:002017-11-20T09:35:28.612-08:00I think I kind of troubleshooted the problem for w...I think I kind of troubleshooted the problem for why is the 2nd attack is not being mitigated, I nocticed that if dont issue the command<br /><br />sudo iptables -I FORWARD -j NFLOG --nflog-group 1 --nflog-prefix SFLOW<br /><br />after each attack, the next attack will not be detected or mitigated, is there any clarification for this issue?<br /><br />I was wondering as about the "data source" field in the Event page, what does it mean, for me it was showing "3"<br /><br />Regards<br />Networkerhttps://www.blogger.com/profile/08722271697048672229noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-65228663038214153992017-11-20T06:47:31.946-08:002017-11-20T06:47:31.946-08:00Thanks Peter, I'll read through and run a test...Thanks Peter, I'll read through and run a testNetworkerhttps://www.blogger.com/profile/08722271697048672229noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-74301011790717181472017-11-16T14:38:08.847-08:002017-11-16T14:38:08.847-08:00RESTful control of Cumulus Linux ACLs describes ho...<a href="http://blog.sflow.com/2017/11/restful-control-of-cumulus-linux-acls.html" rel="nofollow">RESTful control of Cumulus Linux ACLs</a> describes how to integrate real-time control of ACLs with the Cumulus Linux 3.4 HTTP API.Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-89069250574388082202017-11-12T08:12:13.625-08:002017-11-12T08:12:13.625-08:00The script is designed to run multiple times - I a...The script is designed to run multiple times - I am not sure whey it isn't working the second time in your environment. The nclu commit can take up to 30 seconds so it might be that is is just very slow. <br /><br />The <a href="http://blog.sflow.com/2014/12/rest-api-for-cumulus-linux-acls.html" rel="nofollow">REST API for Cumulus Linux ACLs</a> script is much faster and more scaleable.<br /><br />The script can handle multiple sFlow agents. You can run multiple concurrent scripts / applications on a single sFlow-RT instance.Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-28472437787027023632017-11-12T04:25:21.521-08:002017-11-12T04:25:21.521-08:00ok noted. During my testing, I've noticed that...ok noted. During my testing, I've noticed that, when launch attack, it gets successfully mitigated, GUI and Tcpdump proves as well the acl in the CumulusVX and the CLI prints block then allow after the blocking time has passed. However, when lauch a 2nd attack after the target has been allowed again, the 2nd attack doesn't get mitigated or detected, does the script run once only? something wrong with my virtual environment? <br /><br />I also had a question in mind, actually 2, what if I wanna run the script on than a single agent? and what if I wanna run more than a script on the same agent? does sFLow support multi-scripting?<br /><br />Regards<br />Networkerhttps://www.blogger.com/profile/08722271697048672229noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-79621619316813736722017-11-10T07:09:38.074-08:002017-11-10T07:09:38.074-08:00The script doesn't match all traffic to the de...The script doesn't match all traffic to the destination, it also includes the UDP source port in the filter, so traffic from other ports, or TCP traffic would get through. This behavior is designed to block UDP reflection attacks. There are typically too many source addresses to block them individually.Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-25308073041650572192017-11-10T02:26:52.370-08:002017-11-10T02:26:52.370-08:00I did eventually used your method of using the IPv...I did eventually used your method of using the IPv6 for the agent. and it worked. however, if I've understood it right, the target gets blocked, so even if you lauch another attack from another machine, the attckers wont be able to access the target. Until the scripts unblocks the target again through ( allow target)? did I understand it right?<br /><br />thanks alot for your helpNetworkerhttps://www.blogger.com/profile/08722271697048672229noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-13957201713112654492017-11-09T07:22:03.988-08:002017-11-09T07:22:03.988-08:00You should be able to use the IPv6 address to comm...You should be able to use the IPv6 address to communicate, just modify the http line to put the IPv6 address in square brackets, i.e.<br /><br />http("https://["+agent+"]:8080/nclu/v1/rpc"Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-55081950428869654122017-11-09T02:20:54.854-08:002017-11-09T02:20:54.854-08:00I did reduce the sampling rate for sampling.1G int...I did reduce the sampling rate for sampling.1G interface to 40. nothing changed though. You indeed are right the ACL is not being created because the udp traffic is being captured by the tcpdump on the victim. the graph still looks the same, keeps spiking above and below 300, as clarified yesterday.<br /><br />Sorry it was my mistake it didnt check properly. its not a mac address, it is IPv6 of the management interface (eth0) on the cumulus<br /><br />when check sFlow-RT Agents tab, I can see the agent, but instead of seeing it as IPv4, I'm seeing as IPv6.<br /><br />I think thats why the ACL is not being created. and thats I'm getting the error:<br /><br />SEVERE: failed to add ACL, InternatlError: Malformed URL java.net.MalformedURLException: for input string: "agentIPv6:8080" (ddos.js#13)<br /><br />Im gonna try something by forcing the CumulusVX having an IPv4 and no IPv6, cause due to my connection via the VMware, it managed to get an IPv6 via my home router.<br /><br />or what do you think?Networkerhttps://www.blogger.com/profile/08722271697048672229noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-10590444866862347432017-11-08T16:12:06.719-08:002017-11-08T16:12:06.719-08:00If you have a threshold as low as 300 then you sho...If you have a threshold as low as 300 then you should reduce the configured sampling rate. Since CumulusVX is handling much less traffic then a hardware switch, try setting it to something like 40.<br /><br />You will continue to see traffic reported in the sFlow feed from the switch after the ACL is inserted since packets are sampled at ingress (before they are dropped). You can verify that the packets are being dropped using tcpdump at the victim.<br /><br />I don't think the ACL is being implemented correctly. I don't understand why the sFlow agent is being reported as agent:MAC:address. It should be the IP address of the Cumulux VX switch. What do you see when you click on the sFlow-RT Agents tab?Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-68852684290955786202017-11-08T15:44:48.596-08:002017-11-08T15:44:48.596-08:00I did change the threshold vlaue to 300, and it se...I did change the threshold vlaue to 300, and it seemed to work some how. the attacked is being detected on the sFlow-RT flows page. the attack has been as well logged and recorded on the sFlow-RT Events page, as in I can see the attack details. As for the graph it keep showing spikes, once the traffic exceeds the 300 threshold vlaue, it drops down below 300 immediatly, yet it rises again aftwards and drops again below 300. it is some how similar to this graph<br />https://robertscribbler.files.wordpress.com/2016/05/stephan-rahmstorf-temperature-anomaly.jpg<br /><br />yet the sflow graph is not curving up like the one in the link.<br /><br />the kali-linux shows that there's 100% packet loss. yet the target's tcpdump output shows that the packets are being received.<br /><br />the sflow script runs and prints the following message:<br /><br />date/time...-0500 SERVERE : failed to remove ACL , InternalError:Malformed URL java.net.malformedURLException: For input string: "agent:MAC:address:8080" (ddos.js#13)<br /><br />date/time...-500 INFO: block target=192.168.22.2 port=53 agent=agent:MAC:address<br /><br />any feedback? cause I'm fully understanding if the attack is being mitigated.<br /><br />thanks alot your help and patience<br /><br />Regards<br />Networkerhttps://www.blogger.com/profile/08722271697048672229noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-85934906723350291262017-11-07T07:06:44.589-08:002017-11-07T07:06:44.589-08:00The threshold is 10,000 packets per second. Are yo...The threshold is 10,000 packets per second. Are you generating that amount of traffic? You can monitor the flow by clicking on the entry in the sFlow-RT flows page. Edit the script and change the thresh variable to choose a different threshold.Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-55150243198521729592017-11-07T03:30:15.878-08:002017-11-07T03:30:15.878-08:00it seems that the nginy-restapi-restapi.conf is pr...it seems that the nginy-restapi-restapi.conf is pre-configured for CumulusVX, cause i checked it out and everything seems alright. should I though leave the option listen [::]:8080 as it is (default setting)?<br /><br />I run the example or adding a Layer2 bridge br212 using Curl PUT and the bridge was created successfully, however it took a couple of minutes to take effect. and this is the output once I've checked it on the switch<br /><br /> Name Master Speed MTU Mode Remote Host Remote Port Summary<br />-- ------ -------- ------- ----- ------------ ------------- --------------- ----------------------------------------------------<br />UP lo None N/A 65536 Loopback IP: 127.0.0.1/8, ::1/128<br />UP eth0 None 1G 1500 Mgmt IP: 192.168.122.133/24(DHCP)<br />UP swp1 None 1G 1500 Interface/L3 R1 FastEthernet0/0 IP: 10.10.11.2/24<br />UP swp2 None 1G 1500 Interface/L3 R2 FastEthernet0/0 IP: 10.10.22.2/24<br />UP br212 None N/A 1500 Bridge/L2 802.1q Tag: Untagged STP: Disabled Vlan Aware Bridge<br /><br />what I dont get, how come the attack flow is being detected, target ip, source port and amout of frame. Yet the threshold is not being triggerd and the event is not being logged? the sFLow has a complete information about the switch and its interface as I've checked in the "agent" tab. is the problem with code failing to execute? or the Problem is with CumulusVX Platform on GNS3? the Curl commands though worked fine as I mentioned above<br />Networkerhttps://www.blogger.com/profile/08722271697048672229noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-55543768054675497592017-11-06T09:01:21.707-08:002017-11-06T09:01:21.707-08:00The topology looks good. The default sampling and ...The topology looks good. The default sampling and polling values should be fine. <br /><br />You should configuring the /etc/nginx-restapi.conf. The nginx-restapi-chassis.conf is only used for chassis switches.<br /><br />You can leave the JSON API open on hsflowd if you want, although it probably isn't needed for this use case.<br /><br />Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-79504090664335118612017-11-06T08:34:05.813-08:002017-11-06T08:34:05.813-08:00sorry the CumulusVX is supposed to be connected to...sorry the CumulusVX is supposed to be connected to sflow and internet via a switch and not the target.Networkerhttps://www.blogger.com/profile/08722271697048672229noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-2706396333347050342017-11-04T13:44:06.656-07:002017-11-04T13:44:06.656-07:00this is my current topology for the test:
attacke...this is my current topology for the test:<br /><br />attacker<-->Router<-->CumulusVX<-->Router<-->target<br /> |<br /> |<br /> switch<--->sFlow(DDoS script)<br /> |<br /> internet<br /><br />the script should run on the remote sflow machine? I think the topology is ok, feedback?<br /><br />I've test the following command to test the API remotely:<br /><br />curl -X POST -k -u user:pw -H "Content-Type: application/json" -d '{"cmd": "show counters"}' https://1.1.1.1:8080/nclu/v1/rpc<br /><br />ofcourse after changing, the username , password and IP address. I was able to get multiple results, not only for the show counters, but for ospf configurations on the cumulusVX such as interfaces etc.<br /><br />the question is, how should I know if I have did write configurations on the "/etc/nginx-restapi-chassis.conf"<br /><br />when ran the following command "sudo nginx -c /etc/nginx-restapi-chassis.conf -t"<br /><br />I got a successful test, warning free status<br /><br />is there something else needed to be configured with the chassis.conf beside, the normal instructions?<br /><br />regarding the sampling and polling value, I uncommenting the default value wthin hsflow.conf, should it be another than the default?<br /><br />I'm also uncommenting an option stating to listen to JSON application on certain pre-defined port number, should I leave it uncommented?<br /><br />Regards<br /><br /><br />Networkerhttps://www.blogger.com/profile/08722271697048672229noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-53976595296331918602017-11-04T08:01:02.360-07:002017-11-04T08:01:02.360-07:00How long are you running your tests? You should wa...How long are you running your tests? You should wait a minute or two after starting sFlow-RT before generating the DDoS attack. This gives time for sFlow-RT to learn the ifNames from the sFlow stream (you need at least one polling interval to learn the names). The eventHandler() function returns if ifname isn't known since it is needed as an argument when creating the ACL using nclu.Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-58867239027411840872017-11-04T07:08:08.502-07:002017-11-04T07:08:08.502-07:00I am using CumulusVX 3.4. I did applay the command...I am using CumulusVX 3.4. I did applay the command, and I can see the destination ip address (targeted IP) on the sFlow's GUI ( the "Flows" tab), I can see as well the source port 53, and the amount of framse varying. the threshold is set, however, no event is being recorded once the threshold has been exceeded, I checked the tcpdump on the target, and the packet flood is getting through. the problem is that the ACL is not being implemented. I did use curl command to test the API'S (the POST example), and they are working fine for many show commands.<br /><br />any idea what seems to be the problem? is it possible to get a look at your configurations?<br />Networkerhttps://www.blogger.com/profile/08722271697048672229noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-69538877250526946562017-10-21T07:35:20.353-07:002017-10-21T07:35:20.353-07:00The "include('extras/json2.js');"...The "include('extras/json2.js');" statement from the older script should be removed since the JavaScript engine now natively supports JSON.<br /><br />Are you using CumulusVX? Since CumulusVX doesn't have an ASIC that would normally perform the packet sampling function, you need to use the following command on the CumulusVX switch to sample packets:<br /><br />sudo iptables -I FORWARD -j NFLOG --nflog-group 1 --nflog-prefix SFLOW<br /><br />Once you have packet samples sFlow-RT should be able to detect the DDoS attack.Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-85829871631388820352017-10-21T05:25:12.646-07:002017-10-21T05:25:12.646-07:00Thanks for the reply Peter. I did test the HTTP AP...Thanks for the reply Peter. I did test the HTTP API, the show counter did work, and I've tested another command :<br /><br />8.122.21:8080/nclu/v1/rpc": "show configuration interface swp1"}' https://192.16<br />interface swp1<br /> address 10.10.11.5/24<br /><br />however when I run the script above, nothing happens, the remote ubuntu host (the host is configured as an sflow-rt host) shows that ddos.js is running but nothing else. The GUI shows that the Cumulus Vx switch (agent) does exist and the filters are set. I can see the incoming traffic, but the filters do not block and the ACL does not get created. is the problem is that I'm using sflow-rt? I tired using "DDoS mitigation with Cumulus Linux." example, yet when I ran the script I got a message saying that "-Dflow.sumegress=yes" command doesnt exsist. When I run it using env "RTPROP=-Dscr......." ./start , I get a warning that doos.js#1 java.io.fileNotFoundException : extras/json2.js (no such file or directory), and the script stops running. What seems to be the problem? any Ideas?Networkerhttps://www.blogger.com/profile/08722271697048672229noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-82761513138856912852017-10-11T08:14:47.975-07:002017-10-11T08:14:47.975-07:00It sounds like you have everything set correctly. ...It sounds like you have everything set correctly. The "net" prefix is implied by the CLI rest API so you shouldn't need to modify the script, see "show counters" example in <a href="https://docs.cumulusnetworks.com/display/DOCS/HTTP+API" rel="nofollow">HTTP API</a>.<br /><br />Are any messages logged by the script? It can take up to 30 seconds to commit the changes and for the filter to have an effect. How are you testing to see if the script is working? If you log into the switch and run "net show configuration acl" you should be able to verify that the ACL has been installed correctly. The sFlow feed from the switch will still show traffic since packets are sampled on ingress. You would need to check the downstream to verify that the packets have been dropped.<br /><br />You might also check out <a href="http://blog.sflow.com/2014/12/rest-api-for-cumulus-linux-acls.html" rel="nofollow">REST API for Cumulus Linux ACLs</a>. This method of controlling ACLs is much faster and more reliable. You would need to modify the acl_server script to use a port other than 8080 so that it doesn't clash with the new Cumulus REST API. Ideally, the functionality should be integrated under the new Cumulus Linux REST API to share authentication etc. The following article contains a DDoS mitigation script that uses the acl_server API, <a href="http://blog.sflow.com/2014/07/ddos-mitigation-with-cumulus-linux.html" rel="nofollow">DDoS mitigation with Cumulus Linux</a>.Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-9921088126892086562017-10-11T03:57:39.719-07:002017-10-11T03:57:39.719-07:00I have tried to run this code yet it does not seem...I have tried to run this code yet it does not seem to work. I've tried to add "net add acl ..." instead of "add acl .." as the NCLU commands start with "net", yet it did not help ( the script runs and I can see that it has created the filters in sflow GUI), I've configured the agent correctly and I can see it on sflow, however, when launch the attack, no acl is added, I've created the ddos.js in the sflow directory, and started using the "env "RTPROP=-Dscript.file=ddos.js" ./start.sh" command , what am I doing wrong?Networkerhttps://www.blogger.com/profile/08722271697048672229noreply@blogger.com