tag:blogger.com,1999:blog-1978652979840829013.post3472507330343562255..comments2024-02-13T07:05:41.069-08:00Comments on sFlow: DDoS mitigation hybrid OpenFlow controllerPeterhttp://www.blogger.com/profile/00856599914190257147noreply@blogger.comBlogger16125tag:blogger.com,1999:blog-1978652979840829013.post-13526596290079318412015-05-17T08:23:05.772-07:002015-05-17T08:23:05.772-07:00This article used a physical switch that supports ...This article used a physical switch that supports hybrid OpenFlow. When you use Mininet, you need to simulate hybrid OpenFlow by installing rules that provide a forwarding path for packets. You can use the leafandspine script that ships with sFlow-RT to set up the default OpenFlow rules:<br /><a href="http://blog.sflow.com/2015/01/hybrid-openflow-ecmp-testbed.html" rel="nofollow">Hybrid OpenFlow ECMP testbed</a><br /><br /><a href="Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-14375133671129321492015-05-17T01:54:21.704-07:002015-05-17T01:54:21.704-07:00Sorry Peter but I forgot to mention that pingall i...Sorry Peter but I forgot to mention that pingall is unsuccessful. Any ideas?Anonymoushttps://www.blogger.com/profile/03480197309130353215noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-37952974387384309502015-05-16T15:10:55.512-07:002015-05-16T15:10:55.512-07:00You can ignore the warning. It looks like you have...You can ignore the warning. It looks like you have successfully connected Mininet to the sFlow-RT controller.Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-35477849706931976722015-05-16T12:03:12.695-07:002015-05-16T12:03:12.695-07:00May I know how to disable the controller? I'm ...May I know how to disable the controller? I'm using 'sudo mn --controller=remote' but when I start sFlow the following appeared:<br /><br />2015-05-16T14:54:31-0400 INFO: OF: connected to 127.0.0.1:42110 using OF 1.3<br />2015-05-16T14:54:31-0400 WARNING: OF1.3: error from 127.0.0.1:42110: type = OFPET_BAD_REQUEST, code = OFPBRC_BAD_STATS, cause = OFStatisticsMessage [type=TABLE_FEATURES, flags=0, data=[]]<br /><br />And is this correct (start.sh)?:<br /><br />RT_OPTS="-Dsflow.port=6343 -Dhttp.port=8008"<br />SCRIPTS="-Dscript.file=ddos.js -Dopenflow.controller.start=yes"<br /><br />I look forward to your reply. Thank YouAnonymoushttps://www.blogger.com/profile/03480197309130353215noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-11555295939055191202015-05-16T10:18:02.138-07:002015-05-16T10:18:02.138-07:00The message indicates that there is another OpenFl...The message indicates that there is another OpenFlow controller running. You need to disable the controller so that sFlow-RT can open the OpenFlow port and receive OpenFlow connections.Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-57039306867334685962015-05-16T05:47:17.524-07:002015-05-16T05:47:17.524-07:00Thank you for your prompt reply Peter. I've ma...Thank you for your prompt reply Peter. I've managed to follow the steps provided by you and TheDoc McFly, but apparently there's no traffic being dropped. I figured that it has something to do with the controller. I'm using 'sudo mn' and when I start sFlow './start.sh':<br /><br />2015-05-16T08:32:23-0400 SEVERE: OF: could not start controller: Address already in use<br /><br />I really appreciate any help you can provide. Thanks!Anonymoushttps://www.blogger.com/profile/03480197309130353215noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-2345563925290912402015-05-15T11:50:09.689-07:002015-05-15T11:50:09.689-07:00You need to be running as root to open port 53.You need to be running as root to open port 53.Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-3927158502564966632015-05-15T10:56:20.987-07:002015-05-15T10:56:20.987-07:00Yes I'm having the same issue as Yujjit Abijai...Yes I'm having the same issue as Yujjit Abijaiy, any solutions? ThanksAnonymoushttps://www.blogger.com/profile/03480197309130353215noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-29447633508058167492014-12-05T20:01:38.028-08:002014-12-05T20:01:38.028-08:00Hi,
I am too trying the same experiment but when I...Hi,<br />I am too trying the same experiment but when I run the nping command to produce DNS reflection attack that is mentioned above in the article, it throws me an error saying <br />libnsock mksock_bind_addr(): Bind to 0.0.0.0:53 failed (IOD #34517): Permission denied (13)<br /><br />I'm not sure why this error pops up. Am I missing something..? I would appreciate if I can get a help regarding this. <br />ThanksAnonymoushttps://www.blogger.com/profile/01949915979706948674noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-44606520460606874622014-05-09T12:30:26.043-07:002014-05-09T12:30:26.043-07:00Great everything works now as expected. Thanks a l...Great everything works now as expected. Thanks a lot!Anonymoushttps://www.blogger.com/profile/03011147764266659091noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-51716624867890722142014-05-06T20:44:23.420-07:002014-05-06T20:44:23.420-07:00Open vSwitch samples packets before filtering, so ...Open vSwitch samples packets before filtering, so you see the discarded packets. If you add the following filter to your setFlow function, filter:'outputifindex!=discard', then you should be able to see the flow being dropped.Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-7647515312708289762014-05-06T19:30:29.415-07:002014-05-06T19:30:29.415-07:00Thanks for the replies Peter. I am making some pro...Thanks for the replies Peter. I am making some progress, I am able to see the graph (see here: http://imgur.com/vba0xl5). I am also getting feedback from my log message which I inserted as you advised below. I also modified some of the code above to get it to work correctly for me (mainly bumped bytes_per_second down to 10 Mbps, removed egress filter on setFlow, and finally I removed the filter from the setThreshold function)<br /><br />----------------------------- <br /><br />// Define large flow as greater than 100Mbits/sec for 1 second or longer<br />var bytes_per_second = 10000000/8;<br />var duration_seconds = 1;<br /><br />var idx = 0;<br /><br />setFlow('udp_target',<br /> {keys:'ipdestination,udpsourceport',<br /> value:'bytes', t:duration_seconds}<br />);<br /><br />setThreshold('attack',<br /> {metric:'udp_target', value:bytes_per_second, byFlow:true, timeout:2}<br />);<br /><br />setEventHandler(function(evt) {<br /> var agent = evt.agent;<br /> var ports = ofInterfaceToPort(agent);<br /> if(ports && ports.length == 1) {<br /> var dpid = ports[0].dpid;<br /> var id = "drop" + idx++;<br /> var k = evt.flowKey.split(',');<br /> var rule= {<br /> priority:5, idleTimeout:20, hardTimeout:3600,<br /> match:{dl_type:2048, nw_proto:17, nw_dst:k[0], tp_src:k[1]},<br /> actions:[]<br /> };<br /> setOfRule(dpid,id,rule);<br /> logInfo("blocking " + k[0]);<br /> }<br />},['attack']);<br /><br /><br />----------------------------------<br /><br /><br />I am also getting output when I run ovs-ofctl dump-flows like so:<br /><br />sudo ovs-ofctl dump-flows s1<br />NXST_FLOW reply (xid=0x4):<br /> cookie=0x2, duration=6.801s, table=0, n_packets=0, n_bytes=0, idle_timeout=20, hard_timeout=3600, idle_age=6, priority=5,udp,nw_dst=10.0.0.2,tp_src=53 actions=drop<br /> cookie=0x0, duration=323.261s, table=0, n_packets=7297726, n_bytes=10523142088, idle_age=0, priority=10 actions=NORMAL<br /><br />So it appears that ddos mitigation flow is getting pushed to the switch but I do not see any drop in the graph. It just continues to show the attack traffic as normal. Any thoughts on what I am missing? Thanks again Peter for the incredibly quick replies!Anonymoushttps://www.blogger.com/profile/03011147764266659091noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-68781261139508736522014-05-06T16:01:11.190-07:002014-05-06T16:01:11.190-07:00You might find the leafandspine script that now sh...You might find the leafandspine script that now ships with sFlow-RT easier to use - see <a href="http://blog.sflow.com/2014/04/mininet-integrated-hybrid-openflow.html" rel="nofollow">Mininet integrated hybrid OpenFlow testbed</a>Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-12278871330124360702014-05-06T15:44:06.530-07:002014-05-06T15:44:06.530-07:00Hi Peter,
Thanks for your post. I'm incredibl...Hi Peter,<br /><br />Thanks for your post. I'm incredibly new to all of this and I realized that I wasn't setting any configuration for the mininet's openvswitch (i.e. "sudo ovs-vsctl -- --id=@sflow create sflow agent=eth0 target=\"127.0.0.1:6343\" sampling=10 polling=20 -- -- set bridge s1 sflow=@sflow" which was extracted from one of the other blog posts). I'll give this and your suggestions a shot when I get home. Anonymoushttps://www.blogger.com/profile/03011147764266659091noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-48666834026138345052014-05-05T21:28:18.649-07:002014-05-05T21:28:18.649-07:00The sFlow from Open vSwitch on Mininet is ingress ...The sFlow from Open vSwitch on Mininet is ingress sampled. Try removing the filter in the setFlow command. You could also put a logging statement after the setOfRule statement to let you know that the rule has been triggered, e.g. logInfo("blocking " + k[0]);Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-85005872892183730012014-05-05T20:36:31.051-07:002014-05-05T20:36:31.051-07:00Great post! I am currently trying to recreate this...Great post! I am currently trying to recreate this experiment. I have sflow-rt up and running with the custom options (ddos.js and openflowcontroller start) as well as mininet (running the default 2 host topology with remote controller). I see feedback in the terminal that is running sflow and I know that the sflow-rt controller and mininet are talking to each other as I get a successful pingall. <br /><br />Overall, I think it's working but I can't tell for sure. I see that you have visualized your traffic with graphs and I was wondering if there was a way to do that same thing in sflow-rt web interface. (I tried to go to http://localhost:8008/metric/ALL/udp_target/html and unfortunately I see nothing) . I really appreciate the help and above all for the interesting article. Have a great week!Anonymoushttps://www.blogger.com/profile/03011147764266659091noreply@blogger.com