Thursday, April 5, 2018

ONOS measurement based control

ONOS traffic analytics describes how to run the ONOS SDN controller with a virtual network created using Mininet. The article also showed how to monitor network traffic using industry standard sFlow instrumentation available in Mininet and in physical switches.
This article uses the same ONOS / Mininet test bed to demonstrate how sFlow-RT real-time flow analytics can be used to push controls to the network through the ONOS REST API.  Leaf and spine traffic engineering using segment routing and SDN used real-time flow analytics to load balance an ONOS controlled physical network. In this example, we will use ONOS to filter DDoS attack traffic on a Mininet virtual network.

The following sFlow-RT script, ddos.js, detects DDoS attacks and programs ONOS filter rules to block the attacks:
var user = 'onos';
var password = 'rocks';
var onos = '';
var controls = {};


setEventHandler(function(evt) {
 // don't consider inter-switch links
 var link = topologyInterfaceToLink(evt.agent,evt.dataSource);
 if(link) return;

 // get port information
 var port = topologyInterfaceToPort(evt.agent,evt.dataSource);
 if(!port) return;

 // need OpenFlow info to create ONOS filtering rule
 if(!port.dpid || !port.ofport) return;

 // we already have a control for this flow
 if(controls[evt.flowKey]) return;

 var [ipdestination,udpsourceport] = evt.flowKey.split(',');
 var msg = {
  flows: [
    selector: {
     criteria: [

 var resp = http2({
  body: JSON.stringify(msg)

 var {deviceId,flowId} = JSON.parse(resp.body).flows[0];
 controls[evt.flowKey] = {,

 logInfo("blocking " + evt.flowKey);

setIntervalHandler(function() {
 var now =;
 for(var key in controls) {
   let rec = controls[key];

   // keep control for at least 10 seconds
   if(now - rec.time < 10000) continue;
   // keep control if threshold still triggered
   if(thresholdTriggered(rec.threshold,rec.agent,rec.metric,key)) continue;

   var resp = http2({

   delete controls[key];

   logInfo("unblocking " + key);
Some notes on the script:
  1. The ONOS REST API is used to add/remove filters that block the DDoS traffic.
  2. The controller address,, can be found on the ONOS Cluster Nodes web page.
  3. The udp_reflection flow definition is designed to detect UDP amplification attacks, e.g. DNS amplification attacks
  4. Controls are applied to the switch port where traffic enters the network
  5. The controls structure is used to keep track of state associated with deployed configuration changes so that they can be undone
  6. The intervalHandler() function is used to automatically release controls after 10 seconds - the timeout is short for the purposes of demonstration, in practical deployments the timeout would be much measured in hours
  7. For simplicity, this script is missing the error handling needed for production use. 
  8. See Writing Applications for more information.
We are going to use hping3 to simulate a DDoS attack, so install the software using the following command:
sudo apt install hping3
Run the following command to start sFlow-RT and run the ddos.js script:
env RTPROP=-Dscript.file=ddos.js ./
Next, start Mininet with ONOS:
sudo mn --custom ~/onos/tools/dev/mininet/,sflow-rt/extras/ \
--link tc,bw=10 --controller onos,1 --topo tree,2,2
Generate normal traffic between hosts h1 and h3:
mininet-onos> iperf h1 h3
The weathermap view above shows the flow crossing the network from switch s2 to s3 via s1.
Next, launch the simulated DNS amplification attack from h1 to h3:
mininet-onos> h1 hping3 --flood --udp -k -s 53 h3
The weathermap view verifies that the attack has been successfully blocked since none of the traffic is seen traversing the network.

The chart at the top of this article shows the iperf test followed by the simulated attack. The top chart shows the top flows entering the network, showing the DNS amplification attack traffic in blue. The middle chart shows traffic broken out by switch port. Here, the blue line shows the attack traffic arriving at switch s2 port s2-eth1 while the orange line shows that only a small amount of traffic is forwarded to switch s3 port s3-eth3 before the attack is blocked at switch s2 by the controller.

Mininet with ONOS and sFlow-RT is a great way to rapidly develop and test SDN applications, avoiding the time and expense involved in setting up a physical network. The application is easily moved from the Mininet virtual network to a physical network since it is based on the same industry standard sFlow telemetry generated by physical switches. In this case, using commodity switch hardware to cost effectively detect and filter massive (100's of Gbit/s) DDoS attacks.


  1. Hellow Mr Peter, please can you help me,
    When I run the code ddos.js in the sfow-rt directory I get this error.

    sdn@sdn-vm:~/sflow-rt$ nodejs ddos.js

    var [ipdestination,udpsourceport] = evt.flowKey.split(',');
    SyntaxError: Unexpected token [
    at Module._compile (module.js:439:25)
    at Object.Module._extensions..js (module.js:474:10)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Function.Module.runMain (module.js:497:10)
    at startup (node.js:119:16)
    at node.js:902:3

    Please help me I need to fixe this error

    1. The script won't work with nodejs. sFlow-RT includes and embedded JavaScript engine that has been extended with additional functions. The article described how to include the script when you start sFlow-RT. See Writing Applications for more information.

  2. hello peter. is there any algorithm detection and migitation that will work with sflow on ipv6 sdn network.

    1. You could easily modify the script in this article for IPv6 DDoS attacks. Change ipsource to ip6source in the flow definition and modify the OpenFlow rule to filter on IPV6_DST instead of IPV4_DST.

  3. can anybody help me how to perform "DNS amplification attack in mininet"

    1. The hping3 command in this article is an example of simulating a DNS amplification using the DNS protocol (UDP port 53). See DNS amplification attacks for more information.

  4. it this article work to mitigate ddos attack in opendaylight controller???

    1. Hi...I have the same question... does it compatible with ODL also? Have anyone test it? thanks

    2. It looks like OpenDaylight no longer supports the OpenFlow features that would allow it to work with Mininet, see Opendaylight flourine creating reactive flows
      Ask Question

      Ryu measurement based control provides an additional example if you are looking for a different controller.

    3. Hi Peter..thanks for your response... I use old verison ODL like beryllium and so far working well openflow with mininet. What do you think? Thanks

    4. You should be able to modify the ONOS script to work with the OpenDaylight REST API. The last time I had it working is described in Open Daylight - the Hydrogen release I believe.

    5. Noted and thank you Peter. Great and thank you again for sharing very informative blog.