Thursday, April 5, 2018

ONOS measurement based control

ONOS traffic analytics describes how to run the ONOS SDN controller with a virtual network created using Mininet. The article also showed how to monitor network traffic using industry standard sFlow instrumentation available in Mininet and in physical switches.
This article uses the same ONOS / Mininet test bed to demonstrate how sFlow-RT real-time flow analytics can be used to push controls to the network through the ONOS REST API.  Leaf and spine traffic engineering using segment routing and SDN used real-time flow analytics to load balance an ONOS controlled physical network. In this example, we will use ONOS to filter DDoS attack traffic on a Mininet virtual network.

The following sFlow-RT script, ddos.js, detects DDoS attacks and programs ONOS filter rules to block the attacks:
var user = 'onos';
var password = 'rocks';
var onos = '';
var controls = {};


setEventHandler(function(evt) {
 // don't consider inter-switch links
 var link = topologyInterfaceToLink(evt.agent,evt.dataSource);
 if(link) return;

 // get port information
 var port = topologyInterfaceToPort(evt.agent,evt.dataSource);
 if(!port) return;

 // need OpenFlow info to create ONOS filtering rule
 if(!port.dpid || !port.ofport) return;

 // we already have a control for this flow
 if(controls[evt.flowKey]) return;

 var [ipdestination,udpsourceport] = evt.flowKey.split(',');
 var msg = {
  flows: [
    selector: {
     criteria: [

 var resp = http2({
  body: JSON.stringify(msg)

 var {deviceId,flowId} = JSON.parse(resp.body).flows[0];
 controls[evt.flowKey] = {,

 logInfo("blocking " + evt.flowKey);

setIntervalHandler(function() {
 var now =;
 for(var key in controls) {
   let rec = controls[key];

   // keep control for at least 10 seconds
   if(now - rec.time < 10000) continue;
   // keep control if threshold still triggered
   if(thresholdTriggered(rec.threshold,rec.agent,rec.metric,key)) continue;

   var resp = http2({

   delete controls[key];

   logInfo("unblocking " + key);
Some notes on the script:
  1. The ONOS REST API is used to add/remove filters that block the DDoS traffic.
  2. The controller address,, can be found on the ONOS Cluster Nodes web page.
  3. The udp_reflection flow definition is designed to detect UDP amplification attacks, e.g. DNS amplification attacks
  4. Controls are applied to the switch port where traffic enters the network
  5. The controls structure is used to keep track of state associated with deployed configuration changes so that they can be undone
  6. The intervalHandler() function is used to automatically release controls after 10 seconds - the timeout is short for the purposes of demonstration, in practical deployments the timeout would be much measured in hours
  7. For simplicity, this script is missing the error handling needed for production use. 
  8. See Writing Applications for more information.
We are going to use hping3 to simulate a DDoS attack, so install the software using the following command:
sudo apt install hping3
Run the following command to start sFlow-RT and run the ddos.js script:
env RTPROP=-Dscript.file=ddos.js ./
Next, start Mininet with ONOS:
sudo mn --custom ~/onos/tools/dev/mininet/,sflow-rt/extras/ \
--link tc,bw=10 --controller onos,1 --topo tree,2,2
Generate normal traffic between hosts h1 and h3:
mininet-onos> iperf h1 h3
The weathermap view above shows the flow crossing the network from switch s2 to s3 via s1.
Next, launch the simulated DNS amplification attack from h1 to h3:
mininet-onos> h1 hping3 --flood --udp -k -s 53 h3
The weathermap view verifies that the attack has been successfully blocked since none of the traffic is seen traversing the network.

The chart at the top of this article shows the iperf test followed by the simulated attack. The top chart shows the top flows entering the network, showing the DNS amplification attack traffic in blue. The middle chart shows traffic broken out by switch port. Here, the blue line shows the attack traffic arriving at switch s2 port s2-eth1 while the orange line shows that only a small amount of traffic is forwarded to switch s3 port s3-eth3 before the attack is blocked at switch s2 by the controller.

Mininet with ONOS and sFlow-RT is a great way to rapidly develop and test SDN applications, avoiding the time and expense involved in setting up a physical network. The application is easily moved from the Mininet virtual network to a physical network since it is based on the same industry standard sFlow telemetry generated by physical switches. In this case, using commodity switch hardware to cost effectively detect and filter massive (100's of Gbit/s) DDoS attacks.


  1. Hellow Mr Peter, please can you help me,
    When I run the code ddos.js in the sfow-rt directory I get this error.

    sdn@sdn-vm:~/sflow-rt$ nodejs ddos.js

    var [ipdestination,udpsourceport] = evt.flowKey.split(',');
    SyntaxError: Unexpected token [
    at Module._compile (module.js:439:25)
    at Object.Module._extensions..js (module.js:474:10)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Function.Module.runMain (module.js:497:10)
    at startup (node.js:119:16)
    at node.js:902:3

    Please help me I need to fixe this error

    1. The script won't work with nodejs. sFlow-RT includes and embedded JavaScript engine that has been extended with additional functions. The article described how to include the script when you start sFlow-RT. See Writing Applications for more information.

  2. hello peter. is there any algorithm detection and migitation that will work with sflow on ipv6 sdn network.

    1. You could easily modify the script in this article for IPv6 DDoS attacks. Change ipsource to ip6source in the flow definition and modify the OpenFlow rule to filter on IPV6_DST instead of IPV4_DST.

  3. can anybody help me how to perform "DNS amplification attack in mininet"

    1. The hping3 command in this article is an example of simulating a DNS amplification using the DNS protocol (UDP port 53). See DNS amplification attacks for more information.

  4. it this article work to mitigate ddos attack in opendaylight controller???

    1. Hi...I have the same question... does it compatible with ODL also? Have anyone test it? thanks

    2. It looks like OpenDaylight no longer supports the OpenFlow features that would allow it to work with Mininet, see Opendaylight flourine creating reactive flows
      Ask Question

      Ryu measurement based control provides an additional example if you are looking for a different controller.

    3. Hi Peter..thanks for your response... I use old verison ODL like beryllium and so far working well openflow with mininet. What do you think? Thanks

    4. You should be able to modify the ONOS script to work with the OpenDaylight REST API. The last time I had it working is described in Open Daylight - the Hydrogen release I believe.

    5. Noted and thank you Peter. Great and thank you again for sharing very informative blog.

  5. hai sir,
    I am Anju, my academic project is related to DDoS attack on SDN using the ONOS controller. But I am confused about how to implement these things.I want to know about the basic step of implementation of DDoS attack on ONOS controller. kindly reply fast as soon as possible.

    1. Have you tried following the steps in this article? The article describes how to simulate a DDoS reflection attack using Mininet and ONOS.

    2. sir,
      i tried to run these steps,but I am stuck with these steps.actually I don't know where to start these steps? did you have any basic guideline to run these commands?

    3. sir,
      I tried following steps, but I stuck with some issues especially
      when i run

      sudo mn --custom ~/onos/tools/dev/mininet/,sflow-rt/extras/ \
      --link tc,bw=10 --controller onos,1 --topo tree,2,2

      its show error like
      Caught exception. Cleaning up...

      ImportError: No module named requests

      please help to solve this issue?


  6. Hai sir,
    i have one issue,when i run this command

    env RTPROP=-Dscript.file=ddos.js ./

    the output shows like ddos stopped
    2019-11-15T14:22:30+05:30 INFO: Starting sFlow-RT 3.0-1441
    2019-11-15T14:22:32+05:30 INFO: Version check, 3.0-1446 available
    2019-11-15T14:22:32+05:30 INFO: Listening, sFlow port 6343
    2019-11-15T14:22:32+05:30 INFO: Listening, HTTP port 8008
    2019-11-15T14:22:32+05:30 INFO: ddos.js started
    2019-11-15T14:22:33+05:30 WARNING: ddos.js IO exception ddos.js
    2019-11-15T14:22:33+05:30 INFO: ddos.js stopped

    how to solve this issue?
    please help me.

    1. Did you modify the ddos.js script to match your ONOS setup? You need to set the user, password, and onos variables for your ONOS instance.

    2. I gave
      user :onos
      password :rocks
      ONOS :
      but its not working
      its shows the same output
      2019-11-15T14:22:33+05:30 WARNING: ddos.js IO exception ddos.js
      2019-11-15T14:22:33+05:30 INFO: ddos.js stopped

      what I do?did you have any suggestions??
      please help me

    3. The WARNING: ddos.js IO exception ddos.js indicates that the ddos.js script couldn't be found. sFlow-RT references files relative to it's home directory (sflow-rt) and if you run the commands in this example the ddos.js script needs to be in the sflow-rt directory.

  7. hai mr peter, i get error

    2019-12-10T00:54:37+07:00 INFO: Starting sFlow-RT 3.0-1441
    2019-12-10T00:54:42+07:00 INFO: Version check, 3.0-1449 available
    2019-12-10T00:54:42+07:00 INFO: Listening, sFlow port 6343
    2019-12-10T00:54:46+07:00 INFO: Listening, HTTP port 8008
    2019-12-10T00:54:47+07:00 INFO: ddos.js started
    2019-12-10T00:54:47+07:00 INFO: app/mininet-dashboard/scripts/metrics.js started
    2019-12-10T00:54:47+07:00 INFO: app/flow-trend/scripts/top.js started
    2019-12-10T00:54:47+07:00 INFO: app/trace-flow/scripts/trace.js started
    2019-12-10T01:00:50+07:00 WARNING: ddos.js ddos.js#48 IO error Read timed out
    2019-12-10T01:00:50+07:00 INFO: ddos.js stopped

    Can you help me ? thanks

    1. The error indicates that the ddos.js script cannot connect to the ONOS REST API. Is ONOS running? Is the REST API enable? Do you have the correct address configured in the onos variable in the script?

    2. i try running again and suddenly it can, but there was no traffic blocking. is the REST API must be activated although script can be run ?

      lutfianto@lutfianto:~/sflow-rt$ sudo env RTPROP=-Dscript.file=ddos.js ./[sudo] password for lutfianto:
      2019-12-10T17:06:27+07:00 INFO: Starting sFlow-RT 3.0-1441
      2019-12-10T17:06:30+07:00 INFO: Version check, 3.0-1450 available
      2019-12-10T17:06:31+07:00 INFO: Listening, sFlow port 6343
      2019-12-10T17:06:33+07:00 INFO: Listening, HTTP port 8008
      2019-12-10T17:06:33+07:00 INFO: ddos.js started
      2019-12-10T17:06:33+07:00 INFO: app/mininet-dashboard/scripts/metrics.js started
      2019-12-10T17:06:33+07:00 INFO: app/flow-trend/scripts/top.js started
      2019-12-10T17:06:33+07:00 INFO: app/trace-flow/scripts/trace.js started
      2019-12-10T17:07:02+07:00 INFO: blocking,53

      i put onos in docker. How to enable REST API ? is it right to active it with activate org.onosproject.restdb and org.onosproject.drivers.ciena.waveserver. and create json file then upload in onos like this reference

      May i have your e-mail ? Thank for your help.

    3. Are you sure it isn't blocking? It looks like the REST call was successfully applied. You will still see traffic arriving at the first switch port. You can tell if it is being blocked because the trend lines for the upstream ports will drop - the gold line in the Mininet Dashboard screen shot in this article. You can also confirm that the traffic was dropped by looking at the topology view - the link widths indicate traffic.

    4. Thanks Mr Peter, after i see at the topolgy view like your project. I trying to add attackers then i see at the topology view why its so look different ? the script only block for first attack. can this rule block more than one attacker ? thank for your answer.

    5. The script uses the flow keys: ipdestination,udpsourceport to monitor traffic and triggers a control that blocks all traffic that matches the flow, i.e. all attackers targeting the ipdestination. You will only see a new rule created if a different ipdestination is targeted, or a different udpsourceport is involved.

    6. in the first scenario I try to use one attacker, then the results are like your project. But when I try to attack with two attackers on the same host the result gets packet loss in the measurement. I attach a screenshot to the result. The difference between scenarios one and two is only the number of attackers

      This for one attacker
      and its for two attackers
      can you help me to resolve my problem ? thanks.

    7. The script assumes a single filtering action will block all sources of the DDoS attack. In your case, the two hosts attack over different ports and the script doesn't add a second on the second switch port to block the second attack.

      The ONOS REST API used in this example applies a flow to a specific OpenFlow device. It may be possible to modify the script to use a more general policy based API to block the traffic on all switch port, but I haven't experimented.

  8. Hi Peter,

    I have implemented this script and it is blocking and unblocking IP fine for ddos.

    Can you please help me with the scenario where if Host 1 is attacking Host 2 with ddos using "h1 hping3 --flood --udp -k -s 53 h3" then instead of blocking host, it forwards the traffic to another host (example h4,h5 etc).

    Waiting for your reply on this.

    1. I am afraid my knowledge of OpenFlow and ONOS is limited. You may be able to use the policy framework to redirect the traffic.

      If a policy doesn't work, you should be able to create a set of OpenFlow rules for each of the switches in the path between h1 and h5 do the traffic redirect.

    2. Hi Peter,

      I am afraid my knowledge is also very low. Can you please advise how to create policy framework to redirect the traffic.

      Also how to set OpenFlow rules on switch to have a desired traffic redirection.

    3. Hi Peter,

      Waiting for your reply for above and also wanted to ask that can we redirect traffic by using ONOS REST API?



  9. Hi mr peter, i want to ask.
    can i combine tcp and udp filter rules in one script? if it can how to do it ?
    i attach filter rule for tcp and udp.

    tcp ->
    udp ->

    1. You can unify the event and interval handlers to manage the UDP and TCP rules. The ddos-protect application provides an example.