Thursday, April 5, 2018

ONOS measurement based control

ONOS traffic analytics describes how to run the ONOS SDN controller with a virtual network created using Mininet. The article also showed how to monitor network traffic using industry standard sFlow instrumentation available in Mininet and in physical switches.
This article uses the same ONOS / Mininet test bed to demonstrate how sFlow-RT real-time flow analytics can be used to push controls to the network through the ONOS REST API.  Leaf and spine traffic engineering using segment routing and SDN used real-time flow analytics to load balance an ONOS controlled physical network. In this example, we will use ONOS to filter DDoS attack traffic on a Mininet virtual network.

The following sFlow-RT script, ddos.js, detects DDoS attacks and programs ONOS filter rules to block the attacks:
var user = 'onos';
var password = 'rocks';
var onos = '192.168.123.1';
var controls = {};

setFlow('udp_reflection',
 {keys:'ipdestination,udpsourceport',value:'frames'});
setThreshold('udp_reflection_attack',
 {metric:'udp_reflection',value:100,byFlow:true,timeout:2});

setEventHandler(function(evt) {
 // don't consider inter-switch links
 var link = topologyInterfaceToLink(evt.agent,evt.dataSource);
 if(link) return;

 // get port information
 var port = topologyInterfaceToPort(evt.agent,evt.dataSource);
 if(!port) return;

 // need OpenFlow info to create ONOS filtering rule
 if(!port.dpid || !port.ofport) return;

 // we already have a control for this flow
 if(controls[evt.flowKey]) return;

 var [ipdestination,udpsourceport] = evt.flowKey.split(',');
 var msg = {
  flows: [
   {
    priority:4000,
    timeout:0,
    isPermanent:true,
    deviceId:'of:'+port.dpid,
    treatment:[],
    selector: {
     criteria: [
      {type:'IN_PORT',port:port.ofport},
      {type:'ETH_TYPE',ethType:'0x800'},
      {type:'IPV4_DST',ip:ipdestination+'/32'},
      {type:'IP_PROTO',protocol:'17'},
      {type:'UDP_SRC',udpPort:udpsourceport} 
     ]
    }
   }
  ]
 };

 var resp = http2({
  url:'http://'+onos+':8181/onos/v1/flows?appId=ddos',
  headers:{'Content-Type':'application/json','Accept':'application/json'},
  operation:'post',
  user:user,
  password:password,
  body: JSON.stringify(msg)
 });

 var {deviceId,flowId} = JSON.parse(resp.body).flows[0];
 controls[evt.flowKey] = {
  time:Date.now(),
  threshold:evt.thresholdID,
  agent:evt.agent,
  metric:evt.dataSource+'.'+evt.metric,
  deviceId:deviceId,
  flowId:flowId
 };

 logInfo("blocking " + evt.flowKey);
},['udp_reflection_attack']);

setIntervalHandler(function() {
 var now = Date.now();
 for(var key in controls) {
   let rec = controls[key];

   // keep control for at least 10 seconds
   if(now - rec.time < 10000) continue;
   // keep control if threshold still triggered
   if(thresholdTriggered(rec.threshold,rec.agent,rec.metric,key)) continue;

   var resp = http2({
    url:'http://'+onos+':8181/onos/v1/flows/'
        +encodeURIComponent(rec.deviceId)+'/'+encodeURIComponent(rec.flowId),
    headers:{'Accept':'application/json'},
    operation:'delete',
    user:user,
    password:password
   });

   delete controls[key];

   logInfo("unblocking " + key);
 }
});
Some notes on the script:
  1. The ONOS REST API is used to add/remove filters that block the DDoS traffic.
  2. The controller address, 192.168.123.1, can be found on the ONOS Cluster Nodes web page.
  3. The udp_reflection flow definition is designed to detect UDP amplification attacks, e.g. DNS amplification attacks
  4. Controls are applied to the switch port where traffic enters the network
  5. The controls structure is used to keep track of state associated with deployed configuration changes so that they can be undone
  6. The intervalHandler() function is used to automatically release controls after 10 seconds - the timeout is short for the purposes of demonstration, in practical deployments the timeout would be much measured in hours
  7. For simplicity, this script is missing the error handling needed for production use. 
  8. See Writing Applications for more information.
We are going to use hping3 to simulate a DDoS attack, so install the software using the following command:
sudo apt install hping3
Run the following command to start sFlow-RT and run the ddos.js script:
env RTPROP=-Dscript.file=ddos.js ./start.sh
Next, start Mininet with ONOS:
sudo mn --custom ~/onos/tools/dev/mininet/onos.py,sflow-rt/extras/sflow.py \
--link tc,bw=10 --controller onos,1 --topo tree,2,2
Generate normal traffic between hosts h1 and h3:
mininet-onos> iperf h1 h3
The weathermap view above shows the flow crossing the network from switch s2 to s3 via s1.
Next, launch the simulated DNS amplification attack from h1 to h3:
mininet-onos> h1 hping3 --flood --udp -k -s 53 h3
The weathermap view verifies that the attack has been successfully blocked since none of the traffic is seen traversing the network.

The chart at the top of this article shows the iperf test followed by the simulated attack. The top chart shows the top flows entering the network, showing the DNS amplification attack traffic in blue. The middle chart shows traffic broken out by switch port. Here, the blue line shows the attack traffic arriving at switch s2 port s2-eth1 while the orange line shows that only a small amount of traffic is forwarded to switch s3 port s3-eth3 before the attack is blocked at switch s2 by the controller.

Mininet with ONOS and sFlow-RT is a great way to rapidly develop and test SDN applications, avoiding the time and expense involved in setting up a physical network. The application is easily moved from the Mininet virtual network to a physical network since it is based on the same industry standard sFlow telemetry generated by physical switches. In this case, using commodity switch hardware to cost effectively detect and filter massive (100's of Gbit/s) DDoS attacks.

98 comments:

  1. Hellow Mr Peter, please can you help me,
    When I run the code ddos.js in the sfow-rt directory I get this error.

    sdn@sdn-vm:~/sflow-rt$ nodejs ddos.js

    /home/sdn/sflow-rt/ddos.js:26
    var [ipdestination,udpsourceport] = evt.flowKey.split(',');
    ^
    SyntaxError: Unexpected token [
    at Module._compile (module.js:439:25)
    at Object.Module._extensions..js (module.js:474:10)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Function.Module.runMain (module.js:497:10)
    at startup (node.js:119:16)
    at node.js:902:3
    sdn@sdn-vm:~/sflow-rt$

    Please help me I need to fixe this error

    ReplyDelete
    Replies
    1. The script won't work with nodejs. sFlow-RT includes and embedded JavaScript engine that has been extended with additional functions. The article described how to include the script when you start sFlow-RT. See Writing Applications for more information.

      Delete
  2. hello peter. is there any algorithm detection and migitation that will work with sflow on ipv6 sdn network.

    ReplyDelete
    Replies
    1. You could easily modify the script in this article for IPv6 DDoS attacks. Change ipsource to ip6source in the flow definition and modify the OpenFlow rule to filter on IPV6_DST instead of IPV4_DST.

      Delete
  3. can anybody help me how to perform "DNS amplification attack in mininet"

    ReplyDelete
    Replies
    1. The hping3 command in this article is an example of simulating a DNS amplification using the DNS protocol (UDP port 53). See DNS amplification attacks for more information.

      Delete
  4. it this article work to mitigate ddos attack in opendaylight controller???

    ReplyDelete
    Replies
    1. Hi...I have the same question... does it compatible with ODL also? Have anyone test it? thanks

      Delete
    2. It looks like OpenDaylight no longer supports the OpenFlow features that would allow it to work with Mininet, see Opendaylight flourine creating reactive flows
      Ask Question
      .

      Ryu measurement based control provides an additional example if you are looking for a different controller.

      Delete
    3. Hi Peter..thanks for your response... I use old verison ODL like beryllium and so far working well openflow with mininet. What do you think? Thanks

      Delete
    4. You should be able to modify the ONOS script to work with the OpenDaylight REST API. The last time I had it working is described in Open Daylight - the Hydrogen release I believe.

      Delete
    5. Noted and thank you Peter. Great and thank you again for sharing very informative blog.

      Delete
  5. hai sir,
    I am Anju, my academic project is related to DDoS attack on SDN using the ONOS controller. But I am confused about how to implement these things.I want to know about the basic step of implementation of DDoS attack on ONOS controller. kindly reply fast as soon as possible.

    ReplyDelete
    Replies
    1. Have you tried following the steps in this article? The article describes how to simulate a DDoS reflection attack using Mininet and ONOS.

      Delete
    2. sir,
      i tried to run these steps,but I am stuck with these steps.actually I don't know where to start these steps? did you have any basic guideline to run these commands?

      Delete
    3. sir,
      I tried following steps, but I stuck with some issues especially
      when i run

      sudo mn --custom ~/onos/tools/dev/mininet/onos.py,sflow-rt/extras/sflow.py \
      --link tc,bw=10 --controller onos,1 --topo tree,2,2

      its show error like
      ---------------------------------------
      Caught exception. Cleaning up...

      ImportError: No module named requests
      --------------------------------------


      please help me.how to solve this issue?

      Delete


  6. Hai sir,
    i have one issue,when i run this command

    env RTPROP=-Dscript.file=ddos.js ./start.sh

    the output shows like ddos stopped
    ----------------------------------------------------
    2019-11-15T14:22:30+05:30 INFO: Starting sFlow-RT 3.0-1441
    2019-11-15T14:22:32+05:30 INFO: Version check, 3.0-1446 available
    2019-11-15T14:22:32+05:30 INFO: Listening, sFlow port 6343
    2019-11-15T14:22:32+05:30 INFO: Listening, HTTP port 8008
    2019-11-15T14:22:32+05:30 INFO: ddos.js started
    2019-11-15T14:22:33+05:30 WARNING: ddos.js IO exception ddos.js
    2019-11-15T14:22:33+05:30 INFO: ddos.js stopped
    -----------------------------------------------


    how to solve this issue?
    please help me.

    ReplyDelete
    Replies
    1. Did you modify the ddos.js script to match your ONOS setup? You need to set the user, password, and onos variables for your ONOS instance.

      Delete
    2. I gave
      user :onos
      password :rocks
      ONOS :127.0.0.1
      but its not working
      its shows the same output
      ----------------------------------------
      2019-11-15T14:22:33+05:30 WARNING: ddos.js IO exception ddos.js
      2019-11-15T14:22:33+05:30 INFO: ddos.js stopped
      ------------------------------------

      what I do?did you have any suggestions??
      please help me

      Delete
    3. The WARNING: ddos.js IO exception ddos.js indicates that the ddos.js script couldn't be found. sFlow-RT references files relative to it's home directory (sflow-rt) and if you run the commands in this example the ddos.js script needs to be in the sflow-rt directory.

      Delete
  7. hai mr peter, i get error

    2019-12-10T00:54:37+07:00 INFO: Starting sFlow-RT 3.0-1441
    2019-12-10T00:54:42+07:00 INFO: Version check, 3.0-1449 available
    2019-12-10T00:54:42+07:00 INFO: Listening, sFlow port 6343
    2019-12-10T00:54:46+07:00 INFO: Listening, HTTP port 8008
    2019-12-10T00:54:47+07:00 INFO: ddos.js started
    2019-12-10T00:54:47+07:00 INFO: app/mininet-dashboard/scripts/metrics.js started
    2019-12-10T00:54:47+07:00 INFO: app/flow-trend/scripts/top.js started
    2019-12-10T00:54:47+07:00 INFO: app/trace-flow/scripts/trace.js started
    2019-12-10T01:00:50+07:00 WARNING: ddos.js ddos.js#48 IO error java.net.SocketTimeoutException: Read timed out
    2019-12-10T01:00:50+07:00 INFO: ddos.js stopped

    Can you help me ? thanks

    ReplyDelete
    Replies
    1. The error indicates that the ddos.js script cannot connect to the ONOS REST API. Is ONOS running? Is the REST API enable? Do you have the correct address configured in the onos variable in the script?

      Delete
    2. i try running again and suddenly it can, but there was no traffic blocking. is the REST API must be activated although script can be run ?

      lutfianto@lutfianto:~/sflow-rt$ sudo env RTPROP=-Dscript.file=ddos.js ./start.sh[sudo] password for lutfianto:
      2019-12-10T17:06:27+07:00 INFO: Starting sFlow-RT 3.0-1441
      2019-12-10T17:06:30+07:00 INFO: Version check, 3.0-1450 available
      2019-12-10T17:06:31+07:00 INFO: Listening, sFlow port 6343
      2019-12-10T17:06:33+07:00 INFO: Listening, HTTP port 8008
      2019-12-10T17:06:33+07:00 INFO: ddos.js started
      2019-12-10T17:06:33+07:00 INFO: app/mininet-dashboard/scripts/metrics.js started
      2019-12-10T17:06:33+07:00 INFO: app/flow-trend/scripts/top.js started
      2019-12-10T17:06:33+07:00 INFO: app/trace-flow/scripts/trace.js started
      2019-12-10T17:07:02+07:00 INFO: blocking 10.0.0.3,53

      i put onos in docker. How to enable REST API ? is it right to active it with activate org.onosproject.restdb and org.onosproject.drivers.ciena.waveserver. and create json file then upload in onos like this reference https://wiki.onosproject.org/display/ONOS/REST.

      May i have your e-mail ? Thank for your help.

      Delete
    3. Are you sure it isn't blocking? It looks like the REST call was successfully applied. You will still see traffic arriving at the first switch port. You can tell if it is being blocked because the trend lines for the upstream ports will drop - the gold line in the Mininet Dashboard screen shot in this article. You can also confirm that the traffic was dropped by looking at the topology view - the link widths indicate traffic.

      Delete
    4. Thanks Mr Peter, after i see at the topolgy view like your project. I trying to add attackers then i see at the topology view why its so look different ? the script only block for first attack. can this rule block more than one attacker ? thank for your answer.

      Delete
    5. The script uses the flow keys: ipdestination,udpsourceport to monitor traffic and triggers a control that blocks all traffic that matches the flow, i.e. all attackers targeting the ipdestination. You will only see a new rule created if a different ipdestination is targeted, or a different udpsourceport is involved.

      Delete
    6. in the first scenario I try to use one attacker, then the results are like your project. But when I try to attack with two attackers on the same host the result gets packet loss in the measurement. I attach a screenshot to the result. The difference between scenarios one and two is only the number of attackers

      This for one attacker https://prntscr.com/qj24j4
      and its for two attackers https://prntscr.com/qj27nq
      can you help me to resolve my problem ? thanks.

      Delete
    7. The script assumes a single filtering action will block all sources of the DDoS attack. In your case, the two hosts attack over different ports and the script doesn't add a second on the second switch port to block the second attack.

      The ONOS REST API used in this example applies a flow to a specific OpenFlow device. It may be possible to modify the script to use a more general policy based API to block the traffic on all switch port, but I haven't experimented.

      Delete
  8. Hi Peter,

    I have implemented this script and it is blocking and unblocking IP fine for ddos.

    Can you please help me with the scenario where if Host 1 is attacking Host 2 with ddos using "h1 hping3 --flood --udp -k -s 53 h3" then instead of blocking host, it forwards the traffic to another host (example h4,h5 etc).

    Waiting for your reply on this.

    ReplyDelete
    Replies
    1. I am afraid my knowledge of OpenFlow and ONOS is limited. You may be able to use the policy framework to redirect the traffic.

      If a policy doesn't work, you should be able to create a set of OpenFlow rules for each of the switches in the path between h1 and h5 do the traffic redirect.

      Delete
    2. Hi Peter,

      I am afraid my knowledge is also very low. Can you please advise how to create policy framework to redirect the traffic.

      Also how to set OpenFlow rules on switch to have a desired traffic redirection.

      Delete
    3. Hi Peter,

      Waiting for your reply for above and also wanted to ask that can we redirect traffic by using ONOS REST API?

      Regards

      Usama

      Delete
  9. Hi mr peter, i want to ask.
    can i combine tcp and udp filter rules in one script? if it can how to do it ?
    i attach filter rule for tcp and udp.

    tcp -> https://drive.google.com/open?id=1JL2TyWCXfTKvaum9vpxCvl-QdVZHbvFC
    udp -> https://drive.google.com/open?id=1hFmPUE7I2GoolHW2s75thjdH4fTLan1O

    ReplyDelete
    Replies
    1. You can unify the event and interval handlers to manage the UDP and TCP rules. The ddos-protect application provides an example.

      Delete
  10. Hi Peter,

    In this script threshold command has 100 value, I was previously using elephant.py and with your guidance I successfully implented 5 Mb/s threshold. How may I set threshold to 5 Mb/s here too as my topology links are of 10 Mb/s.

    I simply want to block any traffic flow exceeding 5 Mb/s.

    Thanks

    ReplyDelete
    Replies
    1. You can change the flow definition value to bytes and set an appropriate threshold:

      setFlow('udp_reflection',
      {keys:'ipdestination,udpsourceport',value:'bytes'});
      setThreshold('udp_reflection_attack',
      {metric:'udp_reflection',value:5000000/8,byFlow:true,timeout:2});

      Delete
  11. I am unable to locate ddos.js script to make suggested changes. At what path file is saved or do we have to create the file?

    ReplyDelete
    Replies
    1. You need to create the file and put it in the sflow-rt home directory.

      Delete
  12. I have created the file and edited it to block TCP traffic above 2 Mb/s. Whenever there is any traffic above that threshold it successfully shows log of blocking the IP and port. Same rule is reflected in GUI panel of ONOS. However, traffic is not blocked.
    After days of troubleshooting I have noticed that flow rule created by script remains Pending Add in GUI panel of ONOS and it never becomes added and eventually it is removed. While temporary flow rules created for traffic generated are added instantly. Therefore, traffic is passing.
    Below is the edited script along with logs
    var user = 'onos';
    var password = 'rocks';
    var onos = '172.17.0.5';
    var controls = {};

    setFlow('tcp_reflection',
    {keys:'ipsource,tcpdestinationport',value:'bytes'});
    setThreshold('tcp_reflection_attack',
    {metric:'tcp_reflection',value:2000000/8,byFlow:true,timeout:2});

    setEventHandler(function(evt) {
    // don't consider inter-switch links
    var link = topologyInterfaceToLink(evt.agent,evt.dataSource);
    if(link) return;

    // get port information
    var port = topologyInterfaceToPort(evt.agent,evt.dataSource);
    if(!port) return;

    // need OpenFlow info to create ONOS filtering rule
    if(!port.dpid || !port.ofport) return;

    // we already have a control for this flow
    if(controls[evt.flowKey]) return;

    var [ipsource,tcpdestinationport] = evt.flowKey.split(',');
    var msg = {
    flows: [
    {
    priority:4000,
    timeout:0,
    isPermanent:true,
    deviceId:'of:'+port.dpid,
    treatment:[],
    selector: {
    criteria: [
    {type:'IN_PORT',port:port.ofport},
    // {type:'ETH_TYPE',ethType:'0x800'},
    {type:'IPV4_SRC',ip:ipsource+'/32'},
    // {type:'IP_PROTO',protocol:'17'},
    {type:'TCP_DST',tcpPort:tcpdestinationport}
    ]
    }
    }
    ]
    };

    var resp = http2({
    url:'http://'+onos+':8181/onos/v1/flows?appId=ddos',
    headers:{'Content-Type':'application/json','Accept':'application/json'},
    operation:'post',
    user:user,
    password:password,
    body: JSON.stringify(msg)
    });

    var {deviceId,flowId} = JSON.parse(resp.body).flows[0];
    controls[evt.flowKey] = {
    time:Date.now(),
    threshold:evt.thresholdID,
    agent:evt.agent,
    metric:evt.dataSource+'.'+evt.metric,
    deviceId:deviceId,
    flowId:flowId
    };

    logInfo("blocking " + evt.flowKey);
    },['tcp_reflection_attack']);

    setIntervalHandler(function() {
    var now = Date.now();
    for(var key in controls) {
    let rec = controls[key];

    // keep control for at least 10 seconds
    if(now - rec.time < 10000) continue;
    // keep control if threshold still triggered
    if(thresholdTriggered(rec.threshold,rec.agent,rec.metric,key)) continue;

    var resp = http2({
    url:'http://'+onos+':8181/onos/v1/flows/'
    +encodeURIComponent(rec.deviceId)+'/'+encodeURIComponent(rec.flowId),
    headers:{'Accept':'application/json'},
    operation:'delete',
    user:user,
    password:password
    });

    delete controls[key];

    logInfo("unblocking " + key);
    }
    });

    ReplyDelete
  13. Below is the ONOS Flow entries created when traffic is started. First Two entries are of traffic and last entry is generated by ddos.js script and it remains pending Add as I have mentioned earlier. Another thing I was wondering was both traffic entries App Name field had fwd with (*), however, our entry is ddos is without one. I have already seached in Applicatons page there is no ddos app to start. I have only mentioned it as I was thinking this could be the issue.

    Added 2,569 7 10 0 IN_PORT:1, ETH_DST:9A:F0:FB:83:87:84, ETH_SRC:02:9C:60:4B:7A:B3 imm[OUTPUT:3], cleared:false *fwd
    Criteria: IN_PORT:1, ETH_DST:9A:F0:FB:83:87:84, ETH_SRC:02:9C:60:4B:7A:B3
    Treatment Instructions: imm[OUTPUT:3], cleared:false

    Added 2,399 7 10 0 IN_PORT:3, ETH_DST:02:9C:60:4B:7A:B3, ETH_SRC:9A:F0:FB:83:87:84 imm[OUTPUT:1], cleared:false *fwd
    Criteria: IN_PORT:3, ETH_DST:02:9C:60:4B:7A:B3, ETH_SRC:9A:F0:FB:83:87:84
    Treatment Instructions: imm[OUTPUT:1], cleared:false

    Pending Add 0 0 4000 0 IN_PORT:1, ETH_TYPE:ipv4, IP_PROTO:17, IPV4_SRC:10.0.0.1/32, TCP_DST:5566 imm[NOACTION], cleared:false ddos
    Criteria: IN_PORT:1, ETH_TYPE:ipv4, IP_PROTO:17, IPV4_SRC:10.0.0.1/32, TCP_DST:5566
    Treatment Instructions: imm[NOACTION], cleared:false

    Another issue I wonder could be that ddos flow entry shows NOACTION as traetment Action. But it shows blocking on terminal (log pasted below).
    2020-07-22T13:15:01-07:00 INFO: blocking 10.0.0.1,5566
    2020-07-22T13:15:20-07:00 INFO: unblocking 10.0.0.1,5566


    Thank you very much for the support.

    ReplyDelete
    Replies
    1. What version of ONOS are you using? It looks like the ONOS REST API has changed since this article was written. You could try using an older version of ONOS, or you need to figure out why the flow rules are added as pending rather than immediately active.

      Delete
    2. onos> summary
      node=172.17.0.5, version=1.15.0 clusterId=onos

      Delete
  14. Hello Peter, in theory, does this sflow-rt install in switch or sdn controller?

    ReplyDelete
    Replies
    1. Typically a single instance of sFlow-RT is paired with the SDN controller. sFlow-RT provides real-time network-wide analytics that can be used to trigger SDN control actions.

      Delete
    2. hello peter, is there is a way to include bytes threshold in this script... the theory is to packet should be blocked if it send 100 frames over the set threeshold for instance 5 mb?

      setFlow('udp_reflection',
      {keys:'ipdestination,udpsourceport',value:'frames'});
      setThreshold('udp_reflection_attack',
      {metric:'udp_reflection',value:100,byFlow:true,timeout:2});

      Delete
    3. You can define secondary values when you define a flow:
      setFlow('udp_reflection',
      {keys:'ipdestination,udpsourceport',value:'frames',values:'bytes'});

      You can't set a threshold that checks both the frames and bytes values, but you can check the secondary values in the eventHandler:

      setEventHandler(function(evt) {
      if(evt.values[0] < (5000000/8)) return;
      // passed both thresholds
      }, ['udp_reflection_attack']);

      Delete
  15. hi peter, i run the ddos script, it seem as i run enter the hping3 attack, the ddos script immediately stop.. thus no block ip address is made... here is what is shown

    env RTPROP=-Dscript.file=ddos.js ./start.sh
    2021-02-02T06:19:42-08:00 INFO: Starting sFlow-RT 3.0-1551
    2021-02-02T06:19:45-08:00 INFO: Version check, running latest
    2021-02-02T06:19:45-08:00 INFO: Listening, sFlow port 6343
    2021-02-02T06:19:46-08:00 INFO: Listening, HTTP port 8008
    2021-02-02T06:19:46-08:00 INFO: ddos.js started
    2021-02-02T06:19:46-08:00 INFO: app/mininet-dashboard/scripts/metrics.js started
    2021-02-02T06:25:44-08:00 WARNING: ddos.js ddos.js#48 IO error java.net.SocketTimeoutException: connect timed out
    2021-02-02T06:25:45-08:00 INFO: ddos.js stopped



    ReplyDelete
    Replies
    1. sorry for this one, it turn out my ip address for onos controller change, but i forget to change in the script.. it works now thank you

      Delete
  16. hi peter, i realise the terminal only mentioning the blocking ip, is there any way i can display the source of the ddos?

    ReplyDelete
    Replies
    1. A DDoS attack typically has a large number of sources, so breaking out the attack by source address is of limited use.

      You could define a new flow in response to an attack that breaks out additional detail, e.g.
      setFlow('details-attack2', {
      keys:'ipsource',
      value:'frames',
      filter:'ipdestination=x.x.x.x&udpsourceport=nn'
      });

      Where x.x.x.x is the ipdestination and nn is udpsourceport identified in the threshold event.

      Delete
    2. Do i need additional information in here as well?

      logInfo("blocking " + evt.flowKey);
      },['udp_reflection_attack']);

      Delete
    3. It probably doesn't make sense to set a threshold on the new flow. You can use an interval handler to read the values.

      You could also add secondary values to the flow definition to help decide if it is worth looking for additional information. For example, adding count:ipsource would let you know if the number of sources is small enough to warrant further analysis.

      Delete
    4. sorry mybe i explain it wrongly, the theory is on the terminal display of sflow,, if the port is blocked, it will display "blocking 10.0.0.5".. is it possible to add "blocking 10.0.0.5 source: "10.0.0.1(source of attack)" on same terminal?

      Delete
    5. If you want to track ipsource you can make the following modifications to the script:

      1. Change the setFlow definition:
      keys:'ipsource,ipdestination,udpsourceport'

      2. Add the key to the event handler decode:
      var [ipsource,ipdestination,udpsourceport] = evt.flowKey.split(',');

      This should work with the hping3 test in this example, but isn't a realistic method of blocking DDoS attacks where the attack comes from many source addresses.

      Delete
    6. Hello peter, Is there any way i can include the mitigation for tcp as well in the script?

      Delete
    7. You can check out the sources for ddos-protect for an example of handling multiple DDoS signatures.

      Delete
    8. is there any way i can run 2 script at the same time instead? one for udp one for tcp?

      Delete
    9. You can provide a comma separated list of scripts:
      script.file=ddos_udp.js,ddos_tcp.js

      Just make sure that the names used when you define flows and thresholds are unique between scripts.

      Delete
    10. Thanks you peter, one qst, instead of blocking, is there any way it can implement trafic path redirection as a result of dos attack?

      Delete
    11. There used to be a REST API that could be used to set up segment routing tunnels. I don't believe it's available in the current version of ONOS, but it's possible that the new intent based APIs could be used for a similar purpose.

      Leaf and spine traffic engineering using segment routing and SDN

      Delete
    12. hello peter, i just test the script, modified for tcp, it work well , function like above udp script, but for some reason it unblock port more faster than intended, despite having the same threeshold like udp, which is 10 sec.. is that common thing?

      Delete
    13. Is it possible that you are generating more UDP attack traffic than TCP attack traffic? In addition to keeping the control in place for at least 10 seconds, the controller keeps the control in place for as long as the attack is observed:

      if(thresholdTriggered(rec.threshold,rec.agent,rec.metric,key)) continue;

      If the UDP attack was larger, it will take longer for the threshold to clear.

      Delete
    14. hello peter, last time , i ask about is if it possible to include and display the ip address of source attack(yes i agree this seem to be not realistic)... is is possible to show the switch of which the dos attack coming through instead of ip address of the source?

      for instance if dos coming through s2, then terminal will be "blocking 10.0.x.x source "switch device id""...

      Delete
    15. logInfo("blocking " + evt.flowKey + " switch " + port.node);

      Delete
    16. I run both tcp and udp script(threeshold using bw)), then generetate both tcp and udp normal traffic using iperf... udp is fine,but for tcp, the sflow labelled the tcp normal traffic as ddos because probably the tcp traffic use many bw, reaching the threeshold. any alternate way to handle this?

      Delete
    17. You could use secondary value to count the source IP addresses and ignore the event if there is only 1 source.

      setFlow('tcp_flood',{keys:'ipdestination,tcpdestinationport',value:'frames',values:'count:ipsource'});

      Then in the event handler:

      if(evt.values[0] == 1) return;

      Delete
    18. Peter, i test it by sending udp packet first, then use dos command , trying to emulate what happen if there is any action happen but it did not detect or block or trigger any packet.

      Delete
    19. You need to get hping3 to emulate multiple attackers, try the --rand-source option.

      Delete
    20. no i mean if i test the flood attack it working fine.. but i try find the detection by making sure h1 sent tcp/udp pcket to h2(server) and then enter h1 hping3 --flood --udp -k -s 53 h3... the sdn did not trigger any action... it wait until packet is finish then it block.

      Delete
    21. hi peter from my understanding is it because of the flow table, the switch take an action from flow entries?

      Delete
    22. Is it anywhere i can include or manipulate the priority of the flow?

      Delete
    23. Change the priority setting in the flows object in the REST message from 4000 to whatever you want.

      Delete
    24. solved it thanks peter.. overlook it in nano. its turn out the priority is the same like flow entries on the flow table. already set it higher. thanks

      Delete
  17. hello peter, can you please guide me that how to make 1 node as a dns with onos controller as I have to implement dns reflection attack

    ReplyDelete
    Replies
    1. The hping3 line in the article simulates a DNS reflection attack, udp port 53:

      h1 hping3 --flood --udp -k -s 53 h3

      Delete
    2. Thankyou so much peter can you explain this command. as per my understanding this command has started a dns service on h3. Am I right ?

      Delete
    3. No, it doesn't actually start a DNS service. The hping3 command spoofs the traffic you would expect to see if h1 was being used as a DNS reflector in an attack on h3.

      Delete
    4. Thanks again peter can you plz guide me then how to start dns service on h1 ?
      Because that's what my assignment is to start a dns service on 1 node and then launch the attack

      Delete
    5. Sorry - I haven't run a DNS server in Mininet, so I can't help you. If you are going to simulate the elements of a DNS amplification attack you will need a host to act as a DNS server, another host to send spoofed DNS requests to the DNS server, and a target host that will receive the DNS responses.

      I have found simulating DDoS attacks using hping3 is much simpler and is sufficient for most purposes.

      Delete
  18. Hi peter, do you have any example of a Malware attack on SDN using the ONOS controller?

    ReplyDelete
    Replies
    1. Sorry this article is the only one I have.

      Delete
  19. I am getting warning of java.io.ioexception status return code 400. I am not sure why i am getting this. Also This error appears when ever i use iperf to generate traffic between h1 and h4.

    After this i get an info msg saying that ddos.js has stopped.

    var resp = http2({
    url:'http://'+onos+':8181/onos/v1/flows?appId=ddos',
    headers:{'Content-Type':'application/json','Accept':'application/json'},
    operation:'post',
    user:user,
    password:password,
    body: JSON.stringify(msg)
    });

    ReplyDelete
    Replies
    1. This is surprising. The ddos.js script only looks for UDP traffic (the udp_reflection flow has the keys ipdestination,udpsourceport) and shouldn't respond to a tcp iperf test.

      Delete
    2. Let me apologize for not sharing the code. Code was already modified to deal with TCP traffic. I found it here in blogs. My ONOS version is 2.6.0

      var user = 'onos';
      var password = 'rocks';
      var onos = '127.0.0.1';
      var controls = {};

      setFlow('tcp_reflection',
      {keys:'ipsource,tcpdestinationport',value:'bytes'});
      setThreshold('tcp_reflection_attack',
      {metric:'tcp_reflection',value:5000000/8,byFlow:true,timeout:2});

      setEventHandler(function(evt) {
      // don't consider inter-switch links
      var link = topologyInterfaceToLink(evt.agent,evt.dataSource);
      if(link) return;

      // get port information
      var port = topologyInterfaceToPort(evt.agent,evt.dataSource);
      if(!port) return;

      // need OpenFlow info to create ONOS filtering rule
      if(!port.dpid || !port.ofport) return;

      // we already have a control for this flow
      if(controls[evt.flowKey]) return;

      var [ipsource,tcpdestinationport] = evt.flowKey.split(',');
      var msg = {
      flows: [
      {
      priority:4000,
      timeout:0,
      isPermanent:true,
      deviceId:'of:'+port.dpid,
      // state:ADD,
      "treatment":{
      "instructions":[
      {
      "type":"OUTPUT",
      "PORT":"6"
      }]},
      selector: {
      criteria: [
      {type:'IN_PORT',port:port.ofport},
      {type:'ETH_TYPE',ethType:'0x800'},
      {type:'IPV4_DST',ip:ipsource+'/32'},
      {type:'IP_PROTO',protocol:'6'},
      {type:'TCP_DST',tcpPort:tcpdestinationport}
      ]
      }
      }
      ]
      };

      var resp = http2({
      url:'http://'+onos+':8181/onos/v1/flows?appId=ddos',
      headers:{'Content-Type':'application/json','Accept':'application/json'},
      operation:'post',
      user:user,
      password:password,
      body: JSON.stringify(msg)
      });

      var {deviceId,flowId} = JSON.parse(resp.body).flows[0];
      controls[evt.flowKey] = {
      time:Date.now(),
      threshold:evt.thresholdID,
      agent:evt.agent,
      metric:evt.dataSource+'.'+evt.metric,
      deviceId:deviceId,
      flowId:flowId
      };

      logInfo("blocking " + evt.flowKey);
      },['tcp_reflection_attack']);

      setIntervalHandler(function() {
      var now = Date.now();
      for(var key in controls) {
      let rec = controls[key];

      // keep control for at least 10 seconds
      if(now - rec.time < 10000) continue;
      // keep control if threshold still triggered
      if(thresholdTriggered(rec.threshold,rec.agent,rec.metric,key)) continue;

      var resp = http2({
      url:'http://'+onos+':8181/onos/v1/flows/'
      +encodeURIComponent(rec.deviceId)+'/'+encodeURIComponent(rec.flowId),
      headers:{'Accept':'application/json'},
      operation:'delete',
      user:user,
      password:password
      });

      delete controls[key];

      logInfo("unblocking " + key);
      }
      });


      Error Encountered
      2021-02-16T14:22:57+05:00 INFO: Starting sFlow-RT 3.0-1551
      2021-02-16T14:23:02+05:00 INFO: Version check, 3.0-1558 available
      2021-02-16T14:23:02+05:00 INFO: Listening, sFlow port 6343
      2021-02-16T14:23:05+05:00 INFO: Listening, HTTP port 8008
      2021-02-16T14:23:05+05:00 INFO: ddos.js started
      2021-02-16T14:23:05+05:00 INFO: app/mininet-dashboard/scripts/metrics.js started
      2021-02-16T14:24:17+05:00 WARNING: ddos.js ddos.js#54 IO error java.io.IOException: Server returned HTTP response code: 400 for URL: http://127.0.0.1:8181/onos/v1/flows?appId=ddos
      2021-02-16T14:24:17+05:00 INFO: ddos.js stopped

      Delete
    3. Did you get the example working before you modified the code (i.e. Does it work using the original udp_reflection code)? Since ONOS is rejecting the request, is there anything in the ONOS logs indicating why the flow pushed over the REST API was rejected?

      Delete
  20. Can you tell me where i can find the logs?

    ReplyDelete
    Replies
    1. Sorry - I don't know. You will need to find out how logging on ONOS works.

      Delete
  21. hello, i change the treeshold into bw, but lets says i have different bw for s1 and s2, do i need additional threeshold to include?

    ReplyDelete
    Replies
    1. It's up to you. You can set different thresholds based on the link bandwidth. Unfortunately, this is difficult with Mininet since the bandwidth settings on the links aren't reflected in the sFlow measurements, so you will need to create a lookup from link to bandwidth.

      Delete
    2. Do you have any example for this? cant seem to find much resource on onos

      Delete
    3. Sorry - no. I always use 10Mbits/second for the Mininet link bandwidth. The default settings in the sflow.py script configure OVS sampling for 10Mbits/second links.

      Delete
    4. hi peter for the attack command "h1 hping3 --flood --udp -k -s 53 h3" instead of rand source option?

      Delete
  22. hello peter, I want use sflow-rt but without mininet I want to send my own real topology to sflow-rt just changing sflow.py is enough? thanks

    ReplyDelete
    Replies
    1. The sflow.py script is only useful with Mininet. If you are monitoring a physical network then you need to configure sFlow on the switches. You also need to discover the topology or extract it from a controller, see Topology.

      Delete
  23. Hi,

    Im trying to recreate above lab. But im separate ONOS and Mininet into different machine.

    Im running mininet using below command and integrate to another machine (onos).
    root@mininet-vm:/home/mininet/sflow-rt# mn --custom extras/sflow.py --link tc,bw=10 --controller=remote,ip=192.168.1.3 --switch=default,protocols=OpenFlow10 --topo tree,2,2

    ONOS and Sflow already able to capture network topology and traffic. Including testing using iperf.

    But somehow when i tried to generate ddos attack. DDOS still running and didnt block as expected, i still can see traffic running on monitoring sflow although script detected successfully.

    ^Croot@mininet-vm:/home/mininet/sflow-rt# env RTPROP=-Dscript.file=ddos.js ./start.sh
    2021-06-03T02:55:55-07:00 INFO: Starting sFlow-RT 3.0-1596
    2021-06-03T02:55:57-07:00 INFO: Version check, 3.0-1599 available
    2021-06-03T02:55:57-07:00 INFO: Listening, sFlow port 6343
    2021-06-03T02:55:57-07:00 INFO: Listening, HTTP port 8008
    2021-06-03T02:55:57-07:00 INFO: ddos.js started
    2021-06-03T02:55:57-07:00 INFO: app/mininet-dashboard/scripts/metrics.js started
    2021-06-03T04:07:40-07:00 INFO: blocking 10.0.0.3,53

    Regards,
    Randy

    ReplyDelete
    Replies
    1. If you look at the screen shot at the top of this article, you will see that the attack traffic is still visible at the ingress switch after the control is applied (because packets are sampled before they are dropped). The middle chart shows that the traffic is no longer being forwarded (see orange line). This can be confirmed by looking at the weathermap view. Is this not what you are seeing?

      Delete
    2. Thank you for confirmation, when i check on detail the graphich is showing as expected because previously i didnt check "little" drop traffic in dashboard.

      https://pasteboard.co/K6yc43v.png

      Regards,
      Randy

      Delete