Test bed
Mininet uses Linux containers and Open vSwitch to allow realistic virtual networks of hosts and switches to be constructed using a virtual machine. Mininet is widely used by SDN researchers since it allows anyone with a laptop to build realistic network topologies and experiment with OpenFlow controllers and SDN applications.The Floodlight OpenFlow Controller was selected for the test bed because its default behavior is to provide basic connectivity which can be selectively overridden using the Static Flow Pusher API. This separation allows simple performance optimizing applications to be developed since they don't need to concern themselves with maintaining connectivity and are free to focus on implementing optimizations. The Static Flow Pusher provides an example of hybrid OpenFlow (in which OpenFlow is used to selectively override forwarding decisions made by the normal switch forwarding logic). This makes it straightforward to move applications from the test bed to physical switches that support hybrid OpenFlow control. Finally, Floodlight is one of the most mature platforms used in production settings, so any applications developed on the test bed can be easily moved into production.
There are a number of ways to get started, both the Mininet and Floodlight projects distribute a pre-built virtual machine (VM) appliance (the Floodlight VM includes Mininet). Alternatively, it is straightforward to build an Ubuntu 13.04 virtual machine and install Mininet using apt-get (this is the route the author took to build a Mininet VM on a XenServer pool).
Once you have a system with Mininet and Floodlight installed, download and install sFlow-RT:
wget http://www.inmon.com/products/sFlow-RT/sflow-rt.tar.gz tar -xvzf sflow-rt.tar.gzAnd finally, this example will be using node.js as the application language. Node.js is well suited for implementing SDN applications. Its asynchronous IO model supports a high degree of parallelism, allowing the SDN application to interact with multiple controllers, monitoring systems, databases etc. without blocking, resulting in a fast and consistent response time that makes it well suited for control applications.
The following command installs node.js:
sudo apt-get install nodejsFor development, it is helpful to run each tool in a separate window so that you can see an logging messages (in a production setting processes would be daemonized).
1. Start Floodlight
cd floodlight ./floodlight.sh2. Start Mininet, specifying Floodlight as the controller
sudo mn --controller=remote,ip=127.0.0.1 *** Creating network *** Adding controller *** Adding hosts: h1 h2 *** Adding switches: s1 *** Adding links: (h1, s1) (h2, s1) *** Configuring hosts h1 h2 *** Starting controller *** Starting 1 switches s1 *** Starting CLI: mininet>3. Configure sFlow monitoring on each of the switches:
sudo ovs-vsctl -- --id=@sflow create sflow agent=eth0 target=\"127.0.0.1:6343\" sampling=10 polling=20 -- -- set bridge s1 sflow=@sflow4. Start sFlow-RT
cd sflow-rt ./start.shBy default, Floodlight provides a basic layer 2 switching service, ensuring connectivity between hosts connected to the OpenFlow switches. Connectivity can be verified using the Mininet command line:
mininet> h1 ping h2 PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_req=1 ttl=64 time=36.7 ms 64 bytes from 10.0.0.2: icmp_req=2 ttl=64 time=0.159 ms
There are many options for using the Mininet test bed, previous articles on this blog have used Python to develop applications and different SDN controllers can be installed. For example, the PyTapDEMon series of articles describes the uses Python, POX (an OpenFlow controller written in Python) and Mininet to recreate the Microsoft DEMon SDN packet broker.
DDoS mitigation application
The following node.js script is based on the Python script described in Performance Aware Software Defined Networking.var fs = require("fs");
var http = require('http');
var keys = 'inputifindex,ethernetprotocol,macsource,macdestination,ipprotocol,ipsource,ipdestination';
var value = 'frames';
var filter = 'sourcegroup=external&destinationgroup=internal&outputifindex!=discard';
var thresholdValue = 100;
var metricName = 'ddos';
// mininet mapping between sFlow ifIndex numbers and switch/port names
var ifindexToPort = {};
var nameToPort = {};
var path = '/sys/devices/virtual/net/';
var devs = fs.readdirSync(path);
for(var i = 0; i < devs.length; i++) {
var dev = devs[i];
var parts = dev.match(/(.*)-(.*)/);
if(!parts) continue;
var ifindex = fs.readFileSync(path + dev + '/ifindex');
var port = {"switch":parts[1],"port":dev};
ifindexToPort[parseInt(ifindex).toString()] = port;
nameToPort[dev] = port;
}
var fl = { hostname: 'localhost', port: 8080 };
var groups = {'external':['0.0.0.0/0'],'internal':['10.0.0.2/32']};
var rt = { hostname: 'localhost', port: 8008 };
var flows = {'keys':keys,'value':value,'filter':filter};
var threshold = {'metric':metricName,'value':thresholdValue};
function extend(destination, source) {
for (var property in source) {
if (source.hasOwnProperty(property)) {
destination[property] = source[property];
}
}
return destination;
}
function jsonGet(target,path,callback) {
var options = extend({method:'GET',path:path},target);
var req = http.request(options,function(resp) {
var chunks = [];
resp.on('data', function(chunk) { chunks.push(chunk); });
resp.on('end', function() { callback(JSON.parse(chunks.join(''))); });
});
req.end();
};
function jsonPut(target,path,value,callback) {
var options = extend({method:'PUT',headers:{'content-type':'application/json'}
,path:path},target);
var req = http.request(options,function(resp) {
var chunks = [];
resp.on('data', function(chunk) { chunks.push(chunk); });
resp.on('end', function() { callback(chunks.join('')); });
});
req.write(JSON.stringify(value));
req.end();
};
function jsonPost(target,path,value,callback) {
var options = extend({method:'POST',headers:{'content-type':'application/json'},"path":path},target);
var req = http.request(options,function(resp) {
var chunks = [];
resp.on('data', function(chunk) { chunks.push(chunk); });
resp.on('end', function() { callback(chunks.join('')); });
});
req.write(JSON.stringify(value));
req.end();
}
function lookupOpenFlowPort(agent,ifIndex) {
return ifindexToPort[ifIndex];
}
function blockFlow(agent,dataSource,topKey) {
var parts = topKey.split(',');
var port = lookupOpenFlowPort(agent,parts[0]);
if(!port || !port.dpid) return;
var message = {"switch":port.dpid,
"name":"dos-1",
"ingress-port":port.portNumber.toString,
"ether-type":parts[1],
"protocol":parts[4],
"src-ip":parts[5],
"dst-ip":parts[6],
"priority":"32767",
"active":"true"};
console.log("message=" + JSON.stringify(message));
jsonPost(fl,'/wm/staticflowentrypusher/json',message,
function(response) {
console.log("result=" + JSON.stringify(response));
});
}
function getTopFlows(event) {
jsonGet(rt,'/metric/' + event.agent + '/' + event.dataSource + '.' + event.metric + '/json',
function(metrics) {
if(metrics && metrics.length == 1) {
var metric = metrics[0];
if(metric.metricValue > thresholdValue
&& metric.topKeys
&& metric.topKeys.length > 0) {
var topKey = metric.topKeys[0].key;
blockFlow(event.agent,event.dataSource,topKey);
}
}
}
);
}
function getEvents(id) {
jsonGet(rt,'/events/json?maxEvents=10&timeout=60&eventID='+ id,
function(events) {
var nextID = id;
if(events.length > 0) {
nextID = events[0].eventID;
events.reverse();
for(var i = 0; i < events.length; i++) {
if(metricName == events[i].thresholdID) getTopFlows(events[i]);
}
}
getEvents(nextID);
}
);
}
// use port names to link dpid and port numbers from Floodlight
function getSwitches() {
jsonGet(fl,'/wm/core/controller/switches/json',
function(switches) {
for(var i = 0; i < switches.length; i++) {
var sw = switches[i];
var ports = sw.ports;
for(var j = 0; j < ports.length; j++) {
var port = nameToPort[ports[j].name];
if(port) {
port.dpid = sw.dpid;
port.portNumber = ports[j].portNumber;
}
}
}
setGroup();
}
);
}
function setGroup() {
jsonPut(rt,'/group/json',
groups,
function() { setFlows(); }
);
}
function setFlows() {
jsonPut(rt,'/flow/' + metricName + '/json',
flows,
function() { setThreshold(); }
);
}
function setThreshold() {
jsonPut(rt,'/threshold/' + metricName + '/json',
threshold,
function() { getEvents(-1); }
);
}
function initialize() {
getSwitches();
}
initialize();
The script should be fairly self explanatory to anyone familiar with JavaScript. The asynchronous style of programming in which the response to each call is handled by a callback function may be unfamiliar to non-Javascript programmers, but it is widely used in JavaScript and is the keys to node.js's low latency and ability to handle large numbers of concurrent requests. The sFlow-RT REST API calls and the basic logic for this script are explained in the Performance aware software defined networking article.There are a couple of topics addressed in the script that warrant mention:
The OpenFlow protocol has its own way of identifying switches and ports on the network and an SDN application needs to be able to translate between the performance monitoring system's model of the network (identifying switches by their management IP addresses and ports by SNMP ifIndex numbers) and OpenFlow identifiers. Currently, there is no standard way to map between these two models and this deficiency needs to be addressed by the Open Networking Foundation, either through extensions to the configuration or OpenFlow protocols.
However, this script shows how to build these mappings in a Mininet environment by examining files in the /sys/devices/virtual/net directory and combining the information with data about the switches retrieved using Floodlight's /wm/core/controller/switches/json REST API call.
Finally, the sFlow data from Open vSwitch includes dropped packets. The sFlow-RT filter expression outputifindex!=discard is used to detect flows that aren't being blocked.
Results
This example uses a Ping Flood to demonstrate a basic denial of service attack.The following Mininet command opens an terminal window connected to host h1:
mininet> xterm h1Type the following command in the terminal to generate a ping flood between h1 and h2:
# ping -f 10.0.0.2
Next stop the ping flood attack and let the traffic settle down.
The following command runs the denial of service mitigation script:
nodejs mininet.jsNow start the ping flood again and see what happens.
The ping flood attack is quickly detected by sFlow-RT, which notifies the mitigation application. The mitigation application retrieves details of the attack from the sFlow-RT in order to construct the following message, which is sent to the Floodlight's Static Flow Pusher:
message={"switch":"00:00:00:00:00:00:00:01","name":"dos-1","ether-type":"2048","protocol":"1","src-ip":"10.0.0.1","dst-ip":"10.0.0.2","priority":"32767","active":"true"}
The Floodlight controller then uses OpenFlow to push the rule to Open vSwitch which immediately starts dropping packets.Note: The mitigation script doesn't automatically remove the control once the attack has been stopped, so the following command is needed to clear the controls on Floodlight:
curl http://localhost:8080/wm/staticflowentrypusher/clear/all/json
While far from a complete application, this example demonstrates that the sFlow and OpenFlow standard can be combined to build fast acting performance aware SDN applications that address important use cases, such as DDoS mitigation, large flow load balancing, multi-tenant performance isolation, traffic engineering, and packet capture. The Mininet platform provides a convenient way to develop, test and share applications addressing these use cases.
This is great!! is there any kind of sFlow documentation for understanding the options we can use ? I am quite interested to dig deeper.
ReplyDeleteThanks in advance.
The data exported by sFlow agents is described at sFlow.org: Specifications. Documentation for the sFlow-RT analyzer is included in the web interface of the software and there are a number of example on this blog. The best starting point is probably Performance aware software defined networking. Please join the sFlow-RT group to ask questions, share ideas and make suggestions.
DeleteI have the problem that I want to implement ddos like above, so I also copy and paste code to type nodejs mininet.js,but this is the error message, is the nodejs version too old?(v0.6.19)
ReplyDeleteevents.js:48
throw arguments[1]; // Unhandled 'error' event
^
Error: connect ECONNREFUSED
at errnoException (net.js:670:11)
at Object.afterConnect [as oncomplete] (net.js:661:19)
Try using the version of the code included with the sFlow-RT download (extras/mininet.js).
DeleteA connection refused error suggests that you have a firewall or some other setting that is blocking http connections to sFlow-RT (tcp port 8008) or FloodLight (tcp port 8080). Try connecting to both services using cURL to troubleshoot the connectivity issue.
thank you, I resolve this problem~
Deleteand I have an other question that what mean above picture charts flow 7K, it's mean 7Kbyte? because I use mininet and type Iperf h1 h2 it were show about 278Mbits/sec but it's show 24K at the charts flow ,sorry I don't really know what it mean ~
I very appreciate your reply !!!
sFlow-RT reports rates. In the chart above, the flow definition has value=frames. The chart displays frames/second, e.g. 7K value corresponds to 7K frames/second.
DeleteIf you ran this script in your environment (with the same flow definitions), then the 24K represents 24K frames / second. If you want to look at bytes /second, then set value='bytes' (you will then need to multiply the values by 8 to get bits /second).
thank you !! I know what it mean!!! I am very grateful to you~
DeleteI am trying to reproduce this experiment. I am using the scripts from extras. My nodejs version is v.0.6.12. I start the mininet.js script with: "node mininet.js". I can see all other metrics in the metrics menu, except the ddos one. Other metrics get traffic information. I appreciate any suggestions
ReplyDeleteThe API for defining groups and using them in flow definitions has changed - try extras/mininet.js.
ReplyDeletehow do you display the sflow rt chart ?
ReplyDeleteThe /metric/ALL/ddos/html page in the sFlow-RT web interface trends the top ddos flow metric. This is a fairly old post, there are many newer examples that you might want to look at, see sFlow-RT
DeleteI did all the steps for DDoS generation. To see the DDoS traffic, when I type 10.0.057:8008/metric/ALL/ddos/html, I could not see the large flows. It would take me to the domain localhost:8008/metric/ALL/ddos/html. However, when I go to localhost:8008/metric/ALL/flows/html, I could see the flows of order 7M and above. I'm not sure what am I missing to see the ddos chart. Can you help me see the chart?
ReplyDeleteThe sFlow-RT APIs have changed since this article was published (in particular the way that filtering on address groups is defined). Try modifying the script with filter = 'outputifindex!=discard';
DeleteHi Peter, I ran the mitigation script (mininet.js given above) after topology creation, sflow monitoring followed by running start.sh. The flow traffic were of the order of 450 frames/sec and it would not decrease. Is there anything to be modified in the script?
DeleteThanks.
Are you looking at the ddos metric (the one with filter:outputifindex!=discard)? Open vSwitch will report on traffic that dropped and so you need the filter to separate dropped from forwarded traffic and see the effect of the filtering action.
DeleteThis comment has been removed by the author.
DeleteI applied the filter outputifindex!=discard in the mitigation script and now able to see ddos and flows metric. However the traffic of both the metric appears to be similar.
DeleteThis comment has been removed by the author.
ReplyDeleteHi,
ReplyDeleteDoes the mitigation script run in stand alone OS rather than a virtual machine environment?
Thanks
Hi...
ReplyDeleteWhen I type URL like (localhost:8008/metric/ALL/ddos/html) in sFLow-RT, Graph plot is not showing..
The syntax of the groups function has changed. sFlow-RT can now have multiple named groups, i.e. /group/{name}/json
DeleteWhen referring to groups in a flow definition (either in a filter or as a flow key), the syntax has changed. For example, instead of sourcegroup you would use group:insource:{name}
Check the documentation under the sFlow-RT RESTflow tab and more recent examples on this blog for additional changes.
Hi Peter, I'm interesting with SDN and ur posting help me much. But I have many trouble when I follow ur step. May I have ur contact for fast response? I need to build a SDN network for DDOS mitigation.
ReplyDeleteI,m confuse with sflow.port in /sflow-rt/start.sh, is that same with controller port cause I use port 6633 for controller.
Thank u for answer
The sFlow protocol runs over UDP, using destination port 6343 by default. sFlow and OpenFlow are separate protocols: sFlow provides measurements and OpenFlow provides control.
Deletesorry to ask you again, i try to run your code mininet.js in my computer but i get error like this:
ReplyDeletefor(var j = 0; j < ports.length; j++) {
^
TypeError: Cannot read property 'length' of undefined
do you know how to solved this problem?
In another computer i run the same program but i get different error like this:
events.js : 72
throw er; // Unhandle 'error' event
^
Error: connect ECONNREFUSED
sorry but this problem make me so confuse. Thanks for response sir
The first error suggests that the call to Floodlight's REST API (/wm/core/controller/switches/json) has changed or is failing. The connection refused error means that sFlow-RT, or Floodlight is not running (or there is a firewall) preventing successful REST calls.
DeleteThis comment has been removed by the author.
DeleteDear Peter,
DeleteThank u for ur help. I know now why i get to many errors. Before, i used floodlight version 1.0 i think that is the mistake, cause REST API version 1.0 and REST API version 0.90 are different and your code base on REST API floodlight version 0.90.
i have changed the var filter = 'outputifindex!=discard'; too for make it run well.
This comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteHi, I have tried this article by mininet+floodlight and running well. it was great.
ReplyDelete.
but, when i tried your script on openwrt+floodlight, nothing happen when ddos attacking.
please help me. thanks.
Great to hear you got it working with Floodlight. I am sorry I can't be of any help with OpenDaylight - the API's have changed and I don't have any current examples.
Deletesorry, im using floodlight too, mr Peter.
Delete.
i installed openwrt on TP-Link 1043ND hardware version 2.0, and controlled it by floodlight version 0.90.
the traffic has been graphed in sflow, but when i run your script while ddos attacking, nothing happen.
.
for our information, openwrt is a firmware for switch real device, https://openwrt.org/.
i change firmware TP-Link into this openwrt so i can use openvswitch protocol with it to connect to floodlight controller.
.
Thanks.
i have same case as ikhwanul.
Deletei installed openwrt on tp-link 1043ND, floodlight & sflow is running well.
but when i run this mininet.js, nothing happen.
what should i do?
Did you update the script? The script as published uses old sFlow-RT API's and won't work - you need to change the way the address groups are installed and applied, i.e. change:
Delete'sourcegroup=external&destinationgroup=internal&outputifindex!=discard'
to
'group:insource:ddos=external&group:ipdestination:ddos=internal&outputifindex!=discard'
and change the URL to install the groups from:
/group/json
to:
/group/ddos/json
Documentation and examples are at sFlow-RT.com
Hi Peter,
ReplyDeleteCan I use your code for my thesis? Is it opensource material?
Thanks in advance.
You are welcome to use code published on the blog in your thesis.
DeleteAfter I run the mininet.js, i am getting following eror:
ReplyDeleteubuntu@ip-172-31-42-72:~$ nodejs mininet.js
/home/ubuntu/mininet.js:145
for(var j = 0; j < ports.length; j++) {
^
TypeError: Cannot read property 'length' of undefined
at /home/ubuntu/mininet.js:145:33
at IncomingMessage. (/home/ubuntu/mininet.js:50:33)
at IncomingMessage.EventEmitter.emit (events.js:117:20)
at _stream_readable.js:920:16
at process._tickCallback (node.js:415:13)
Please help.
The Floodlight REST API has changed since this article was published. The error message suggests that the /wm/core/controller/switches/json REST call / response has changed.
DeleteThank you, Peter.
ReplyDeleteI got it run on floodlight vm installed on virtualbox, however, i am still getting same error message on EC2 ubuntu instance.
Hello Peter,
ReplyDeleteI am having the same problem as Mutalip. The Floodlight REST API call hasn't changed in the floodlight documentation (i.e. /wm/core/controller/switches/json) so I don't think the problem is there but I am at a lost trying to discover the reason the extras/mininet.js script isn't running. Can you please help?
k/r
Brian
The extras/mininet.js script is incompatible with Floodlight. The script is used with sFlow-RT's internal OpenFlow controller, see Hybrid OpenFlow ECMP testbed for instructions on how to use the script.
DeleteHi, Peter. How does the sFlow-RT calculate the threshold?? any formula involved?? I am confused with the article in http://blog.sflow.com/2013/06/large-flow-detection-script.html ..... How does the sflow-rt process flow in bytes from localhost:8008/dump/ALL/total/json and compare with threshold defined??
ReplyDeleteKindly advise..thanks
The threshold is set to a packets per second limit. The limit expresses operational policy (i.e. an administratively permitted packet rate per destination IP address). There is no formula being used - the value is set based on network capacity and administrative concerns.
DeletesFlow-RT applies threshold to each metric instance as it is updated. The /dump command gets the current value of every instance of the metric. You could poll and apply the threshold, but you wouldn't get the same speed of response.
Writing Applications provides an overview of the sFlow-RT APIs and how they link together.
Thanks for your reply.. let me explain my scenario..
DeleteIf I define 100000Bytes as threshold to differentiate between large flow and small flow . When i perform iperf between h1(server) and h3 (client) ,the transfer size falls between 100 and 400 MBytes and bandwidth is between 1-3 GBits/sec... However, the threshold event from localhost:8008/events/html shows different event IDs with constant value of 101200 bytes that exceeded the pre-defined threshold value. My question is how does sFlow-RT gets 101200?
As /dump command gets current value of every instance, so each flow captured have different values. How does sFlow-RT analyse these values and compare with threshold defined?
Kindly advise..Thanks
..
The 101200 bytes/second value reported with the event is the computed value of the metric at the moment data was received that drove the metric across the threshold.
DeletesFlow-RT checks thresholds each time it updates a metric value. The values shown using the /dump command were all checked at the time they were updated - reading them later will show different values.
If you are interested in large flow detection then the article Large flow detection script
how do i display sflow-rt graph for ddos metric?
ReplyDeletelocalhost:8008/metric/ALL/ddos/html does not exist.
Am i missing something?
The flow hasn't been installed. Have you updated the flow definition to use the group:insource:ddos syntax? See previous comments.
DeleteHi Peter,
ReplyDeleteHow can we set the threshold as bytes/sec instead of packets per second?
Thanks,
Change the value parameter to bytes, i.e.
Deletevar value = 'bytes';
and the thresholdValue will be applied to the bytes/second reported for the flow.
Thank you, Peter!
ReplyDeleteHi Peter,
ReplyDeleteI am trying to collect data to calculate the controller bandwidth utilization. Floodlight has API to show traffic on each port. But, How do I know which port is connected to controller?
127.0.0.1:8080/wm/statistics/bandwidth///json.
Does sFlow provide similar API?
Thank you
You can get the utilization of all the ports using sFlow-RT:
Deletehttp://10.0.0.66:8008/table/ALL/ifname,ifinutilization,ifoututilization/json
If you know the specific port connected to the controller (if controller is connected to sFlow agent 10.0.0.233 on port with ifIndex 3):
http://10.0.0.66:8008/table/10.0.0.233/3.ifinutilization,3.ifoututilization/json
You could also define a flow to track OpenFlow traffic (TCP port 6633):
http://sflow-rt.com/define_flow.php
How do i know which port is connected to controller? For example, i created the topology as following:
ReplyDeletesudo mn --controller,ip=127.0.0.1,port=6653 --switch ovsk,protocols=openflow13
None of the Mininet switch ports are connected to the controller in your example. The OpenFlow connection between Open vSwitch and the OpenFlow controller is effectively "out of band" and doesn't cross any of the switches in the Mininet network (and is invisible to OpenFlow / sFlow monitoring of the switches).
DeleteHow do i connect specific switch port to controller? Should i use different switch?
ReplyDeleteI don't know if it is possible. You might want to ask the question on the Mininet mailing list.
DeleteThis comment has been removed by the author.
ReplyDeleteHi Peter,
ReplyDeleteCan we count packet-in and packet out message for calculate controller bandwidth utilization?
Thank you,
hi, could you explain? why 100?
ReplyDelete.
"var thresholdValue = 100;"
There is nothing special about the value of 100, the small threshold value was chosen so that it would reliably trigger an event in the Mininet example.
Delete3. Configure sFlow monitoring on each of the switches:
Deletesudo ovs-vsctl -- --id=@sflow create sflow agent=eth0 target=\"127.0.0.1:6343\" sampling=10 polling=20 -- -- set bridge s1 sflow=@sflow
.
could you explain? why we configure sampling=10 and polling=20. thank you very much.
The following article explains the sampling settings for Mininet:
DeleteLarge flow detection
You can use the sflow.py script to automatically configure Open vSwitch sFlow settings:
Mininet flow analytics
And there is a dashboard that you might find useful:
Mininet dashboard
Hi peter,
ReplyDeleteBefore i have tried this article is running well, but suddenly my laptop bluescreen and when i power on again the ddos protection didnt work. The problem is the sflow still count large flow altough i have launch mininet.js
I have several test from change the script and change topology, but the problem still same. Should i reinstall my server?
Regards,
Hi Peter,
ReplyDeleteI adapted your script for ONOS controller. It works fine. What I want to do is to set a threshold for the number of different 'ipsource's (I want to detect distributed DoS atack). I tried to use value = 'count:ipsources' unfortunately this is not working. Actually I couldn't manage to use count function for any flow key. Can you suggest a way to put count function into use?
Best regards,
Sinan Tatlicioglu
ipsources isn't a flow key. count:ipsource should work.
DeleteHi Peter,
DeleteSorry for mis-typing. the fact is that whatever flow key I use, count function doesn't work. For this case, yes, count:ipsource doesn't work either. In my scenario I use hping3 in random source mode to simulate different ip sources and using wireshark I check out that there are hundreds of different ip sources but the metric value set as 'count:ipsource' never gets beyond 1. Maybe I am doing something wrong or maybe the count function doesn't work (I suspect this is the case because it works none of the flow keys I use, for example count:bytes never works). Please can you check and share if you find any piece of working script that can count any flow key? or can you confirm that there is something wrong with the count function?
thanks,
Sinan Tatlicioglu
Hi Peter,
Deleteplease cancel my previous message. I can use the count function now. my mistake was not to use "flow/json" instead of "flows/json".
Thanks for your attention and the marvelous sflow-rt :)
Hello Peter,
ReplyDeleteIt is very useful blog.I am trying to implement same script using pox controller but i am getting error:
net.js:639
throw new TypeError('invalid data');
^
TypeError: invalid data
at WriteStream.Socket.write (net.js:639:11)
at ClientRequest. (/home/sdx/sflow-rt/extras/mininet.js:47:20)
at ClientRequest.g (events.js:273:16)
at emitOne (events.js:90:13)
at ClientRequest.emit (events.js:182:7)
at HTTPParser.parserOnIncomingClient [as onIncoming] (_http_client.js:469:21)
at HTTPParser.parserOnHeadersComplete (_http_common.js:103:23)
at Socket.socketOnData (_http_client.js:359:20)
at emitOne (events.js:90:13)
at Socket.emit (events.js:182:7)
Can you please help me?
I am using pyretic to run my pox controller using policy.
Thank you,
Do you have the script modified for POX controller?
DeleteHi Peter,
ReplyDeletecan we use id pf request dns as key flow for monitoring dns traffic?
Thank you,
Yes, the sFlow-RT allows the dnsid as a flow key.
Deleteso firt i wanna thank you for the answer,
Deletewhy you didnt use openflow instead of sflow for monitoring ,there are any advantages for using this tools in monitoring ?
and i wanna ask you if you have any article or code explain how we can use sflow to manipulate dns request/response (store ID & doing correspondence between request/response)
sFlow is a measurement technology and cannot manipulate dns requests/responses. The article, OpenFlow and sFlow, describes how sFlow and OpenFlow provide complementary visibility and control capabilities that can be combined to build control loops.
Deleteso do you have any idea how we can manipulate dns requests/responses? in such a way after receiving input data from sflow doing some manipulation in traffic dns?
Deletea second question is that if Can be needed in db to store sflow's input data in order to do some manipulation?
You could program an OpenFlow rule to intercept all the DNS requests and process them on your controller (e.g.
DeleteHP Network Protector SDN Application - Introduction of the HP Network Protector Solution).
You can use sFlow-RT to profile DNS activity and push controls to your SDN controller, for example, DNS amplification attacks
First thank you for your help,
Deleteso there are any idea how to process DNS request and response without redirect all trafic to controller because if we use this method There is a risk of generating an attack on the controller?
Hi Peter,
Deleteyou told me that sFlow-RT allows the dnsid as a flow key,but i didnt find it in "http://sflow-rt.com/define_flow.php#keys",plz if can you confirm if sFlow-RT use dnsid,Thanks a lot
The dnsid flow key was missing from the documentation. I have added it. Thanks.
Deletesir, i am getting error while giving floodlight as controller, can u help me in this
ReplyDeleteThis comment has been removed by the author.
DeleteHi Peter,
ReplyDeleteCan we monitor more than one switch?
Thank you,
Mutalip
Yes, you can monitor multiple switches.
DeleteThe following article describes a simpler method of configuring sFlow on all the Mininet switches and posting topology to sFlow-RT Mininet flow analytics. You might also find the Mininet dashboard useful.
http://blog.sflow.com/2013/01/performance-aware-software-defined.html
ReplyDeleteI have done it by using this way.
$python ddos.py
mininet-> h1 ping -f h2
But there is no data in http://192.168.0.185:8008/metric/ALL/ddos/html.
The sFlow-RT APIs have changes since this, and the article you referenced, were published. The API changes are discussed in the comments on both articles.
DeleteThe main changes relate to the way address groups are defined and referenced in flow definitions.
Hi sir,
ReplyDeleteHow can i get each delta T a count number of packets per ipDestination using API REST; I need a periodic stream of data per ipDestination like that:
T0:{ipDestination :"X0",number of packets:"N0"},T1:{ipDestination :"X0",number of packets:"N1"}
Thanks in advance
First, use HTTP PUT /flow/destinationframes/json to define a flow called 'destinationframes' with {keys:'ipdestination',value:'frames'}. Next, periodically query the /activeflows/ALL/destinationframes/json. The values returned by the query are in frames/second, so multiply by the polling interval to get total frames in the interval. See Writing Applications for more information.
Deletei tried the command nodejs mininet.js but it seems not found
ReplyDeletemodule.js:328
throw err
cannot find module /home/test/mininet.js
Can this be made to work with POX controller?
ReplyDeletehi Peter,
ReplyDeletehow do i implement this " Open vSwitch will report on traffic that dropped and so you need the filter to separate dropped from forwarded traffic and see the effect of the filtering action." I already applied the filter outputifindex!=discard in the mitigation script and now able to see ddos and flows metric. However the traffic of both the metric appears to be similar.
Hello, I updated the script with the most resent API changes, I ran the ddos and it appeared on http://localhost:8008/metric/all/ddos/html then I ran the script and the mitigation was successful. The problem is that I can't repeat the simulation. Even after this command: curl http://localhost:8080/wm/staticflowentrypusher/clear/all/json
ReplyDeleteCan you please tell me where I'm wrong, and how to make it work again?
This is a very old article and I haven't used Floodlight or nodejs since writing it. You need to wait a period after stopping the simulated attack for sFlow-RT threshold and flow state to clear (1 minute should do it).
DeleteThere are many more recent DDoS articles that you might want to look at. The Ryu example is very similar to this article.
How did you update the script with the most recent API changes? Please help as the DOS attack is being detected by sflow-RT but the script is not working stating the below error.
Delete/home/mininet/floodlight/sflow-rt/extras/mininet.js:149
for(var j = 0; j < ports.length; j++) {
^
TypeError: Cannot read property 'length' of undefined
at /home/mininet/floodlight/sflow-rt/extras/mininet.js:149:34
at IncomingMessage. (/home/mininet/floodlight/sflow-rt/extras/mininet.js:48:33)
at IncomingMessage.emit (events.js:203:15)
at endReadableNT (_stream_readable.js:1145:12)
at process._tickCallback (internal/process/next_tick.js:63:19)
I haven't looked at Floodlight or nodejs since writing this article so I can't be of much help. There are many more recent DDoS articles you might want to look at. The Ryu example is very similar to this one.
Delete