Thursday, April 5, 2018

ONOS measurement based control

ONOS traffic analytics describes how to run the ONOS SDN controller with a virtual network created using Mininet. The article also showed how to monitor network traffic using industry standard sFlow instrumentation available in Mininet and in physical switches.
This article uses the same ONOS / Mininet test bed to demonstrate how sFlow-RT real-time flow analytics can be used to push controls to the network through the ONOS REST API.  Leaf and spine traffic engineering using segment routing and SDN used real-time flow analytics to load balance an ONOS controlled physical network. In this example, we will use ONOS to filter DDoS attack traffic on a Mininet virtual network.

The following sFlow-RT script, ddos.js, detects DDoS attacks and programs ONOS filter rules to block the attacks:
var user = 'onos';
var password = 'rocks';
var onos = '192.168.123.1';
var controls = {};

setFlow('udp_reflection',
 {keys:'ipdestination,udpsourceport',value:'frames'});
setThreshold('udp_reflection_attack',
 {metric:'udp_reflection',value:100,byFlow:true,timeout:2});

setEventHandler(function(evt) {
 // don't consider inter-switch links
 var link = topologyInterfaceToLink(evt.agent,evt.dataSource);
 if(link) return;

 // get port information
 var port = topologyInterfaceToPort(evt.agent,evt.dataSource);
 if(!port) return;

 // need OpenFlow info to create ONOS filtering rule
 if(!port.dpid || !port.ofport) return;

 // we already have a control for this flow
 if(controls[evt.flowKey]) return;

 var [ipdestination,udpsourceport] = evt.flowKey.split(',');
 var msg = {
  flows: [
   {
    priority:4000,
    timeout:0,
    isPermanent:true,
    deviceId:'of:'+port.dpid,
    treatment:[],
    selector: {
     criteria: [
      {type:'IN_PORT',port:port.ofport},
      {type:'ETH_TYPE',ethType:'0x800'},
      {type:'IPV4_DST',ip:ipdestination+'/32'},
      {type:'IP_PROTO',protocol:'17'},
      {type:'UDP_SRC',udpPort:udpsourceport} 
     ]
    }
   }
  ]
 };

 var resp = http2({
  url:'http://'+onos+':8181/onos/v1/flows?appId=ddos',
  headers:{'Content-Type':'application/json','Accept':'application/json'},
  operation:'post',
  user:user,
  password:password,
  body: JSON.stringify(msg)
 });

 var {deviceId,flowId} = JSON.parse(resp.body).flows[0];
 controls[evt.flowKey] = {
  time:Date.now(),
  threshold:evt.thresholdID,
  agent:evt.agent,
  metric:evt.dataSource+'.'+evt.metric,
  deviceId:deviceId,
  flowId:flowId
 };

 logInfo("blocking " + evt.flowKey);
},['udp_reflection_attack']);

setIntervalHandler(function() {
 var now = Date.now();
 for(var key in controls) {
   let rec = controls[key];

   // keep control for at least 10 seconds
   if(now - rec.time < 10000) continue;
   // keep control if threshold still triggered
   if(thresholdTriggered(rec.threshold,rec.agent,rec.metric,key)) continue;

   var resp = http2({
    url:'http://'+onos+':8181/onos/v1/flows/'
        +encodeURIComponent(rec.deviceId)+'/'+encodeURIComponent(rec.flowId),
    headers:{'Accept':'application/json'},
    operation:'delete',
    user:user,
    password:password
   });

   delete controls[key];

   logInfo("unblocking " + key);
 }
});
Some notes on the script:
  1. The ONOS REST API is used to add/remove filters that block the DDoS traffic.
  2. The controller address, 192.168.123.1, can be found on the ONOS Cluster Nodes web page.
  3. The udp_reflection flow definition is designed to detect UDP amplification attacks, e.g. DNS amplification attacks
  4. Controls are applied to the switch port where traffic enters the network
  5. The controls structure is used to keep track of state associated with deployed configuration changes so that they can be undone
  6. The intervalHandler() function is used to automatically release controls after 10 seconds - the timeout is short for the purposes of demonstration, in practical deployments the timeout would be much measured in hours
  7. For simplicity, this script is missing the error handling needed for production use. 
  8. See Writing Applications for more information.
We are going to use hping3 to simulate a DDoS attack, so install the software using the following command:
sudo apt install hping3
Run the following command to start sFlow-RT and run the ddos.js script:
env RTPROP=-Dscript.file=ddos.js ./start.sh
Next, start Mininet with ONOS:
sudo mn --custom ~/onos/tools/dev/mininet/onos.py,sflow-rt/extras/sflow.py \
--link tc,bw=10 --controller onos,1 --topo tree,2,2
Generate normal traffic between hosts h1 and h3:
mininet-onos> iperf h1 h3
The weathermap view above shows the flow crossing the network from switch s2 to s3 via s1.
Next, launch the simulated DNS amplification attack from h1 to h3:
mininet-onos> h1 hping3 --flood --udp -k -s 53 h3
The weathermap view verifies that the attack has been successfully blocked since none of the traffic is seen traversing the network.

The chart at the top of this article shows the iperf test followed by the simulated attack. The top chart shows the top flows entering the network, showing the DNS amplification attack traffic in blue. The middle chart shows traffic broken out by switch port. Here, the blue line shows the attack traffic arriving at switch s2 port s2-eth1 while the orange line shows that only a small amount of traffic is forwarded to switch s3 port s3-eth3 before the attack is blocked at switch s2 by the controller.

Mininet with ONOS and sFlow-RT is a great way to rapidly develop and test SDN applications, avoiding the time and expense involved in setting up a physical network. The application is easily moved from the Mininet virtual network to a physical network since it is based on the same industry standard sFlow telemetry generated by physical switches. In this case, using commodity switch hardware to cost effectively detect and filter massive (100's of Gbit/s) DDoS attacks.

25 comments:

  1. Hellow Mr Peter, please can you help me,
    When I run the code ddos.js in the sfow-rt directory I get this error.

    sdn@sdn-vm:~/sflow-rt$ nodejs ddos.js

    /home/sdn/sflow-rt/ddos.js:26
    var [ipdestination,udpsourceport] = evt.flowKey.split(',');
    ^
    SyntaxError: Unexpected token [
    at Module._compile (module.js:439:25)
    at Object.Module._extensions..js (module.js:474:10)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Function.Module.runMain (module.js:497:10)
    at startup (node.js:119:16)
    at node.js:902:3
    sdn@sdn-vm:~/sflow-rt$

    Please help me I need to fixe this error

    ReplyDelete
    Replies
    1. The script won't work with nodejs. sFlow-RT includes and embedded JavaScript engine that has been extended with additional functions. The article described how to include the script when you start sFlow-RT. See Writing Applications for more information.

      Delete
  2. hello peter. is there any algorithm detection and migitation that will work with sflow on ipv6 sdn network.

    ReplyDelete
    Replies
    1. You could easily modify the script in this article for IPv6 DDoS attacks. Change ipsource to ip6source in the flow definition and modify the OpenFlow rule to filter on IPV6_DST instead of IPV4_DST.

      Delete
  3. can anybody help me how to perform "DNS amplification attack in mininet"

    ReplyDelete
    Replies
    1. The hping3 command in this article is an example of simulating a DNS amplification using the DNS protocol (UDP port 53). See DNS amplification attacks for more information.

      Delete
  4. it this article work to mitigate ddos attack in opendaylight controller???

    ReplyDelete
    Replies
    1. Hi...I have the same question... does it compatible with ODL also? Have anyone test it? thanks

      Delete
    2. It looks like OpenDaylight no longer supports the OpenFlow features that would allow it to work with Mininet, see Opendaylight flourine creating reactive flows
      Ask Question
      .

      Ryu measurement based control provides an additional example if you are looking for a different controller.

      Delete
    3. Hi Peter..thanks for your response... I use old verison ODL like beryllium and so far working well openflow with mininet. What do you think? Thanks

      Delete
    4. You should be able to modify the ONOS script to work with the OpenDaylight REST API. The last time I had it working is described in Open Daylight - the Hydrogen release I believe.

      Delete
    5. Noted and thank you Peter. Great and thank you again for sharing very informative blog.

      Delete
  5. hai sir,
    I am Anju, my academic project is related to DDoS attack on SDN using the ONOS controller. But I am confused about how to implement these things.I want to know about the basic step of implementation of DDoS attack on ONOS controller. kindly reply fast as soon as possible.

    ReplyDelete
    Replies
    1. Have you tried following the steps in this article? The article describes how to simulate a DDoS reflection attack using Mininet and ONOS.

      Delete
    2. sir,
      i tried to run these steps,but I am stuck with these steps.actually I don't know where to start these steps? did you have any basic guideline to run these commands?

      Delete
    3. sir,
      I tried following steps, but I stuck with some issues especially
      when i run

      sudo mn --custom ~/onos/tools/dev/mininet/onos.py,sflow-rt/extras/sflow.py \
      --link tc,bw=10 --controller onos,1 --topo tree,2,2

      its show error like
      ---------------------------------------
      Caught exception. Cleaning up...

      ImportError: No module named requests
      --------------------------------------


      please help me.how to solve this issue?

      Delete


  6. Hai sir,
    i have one issue,when i run this command

    env RTPROP=-Dscript.file=ddos.js ./start.sh

    the output shows like ddos stopped
    ----------------------------------------------------
    2019-11-15T14:22:30+05:30 INFO: Starting sFlow-RT 3.0-1441
    2019-11-15T14:22:32+05:30 INFO: Version check, 3.0-1446 available
    2019-11-15T14:22:32+05:30 INFO: Listening, sFlow port 6343
    2019-11-15T14:22:32+05:30 INFO: Listening, HTTP port 8008
    2019-11-15T14:22:32+05:30 INFO: ddos.js started
    2019-11-15T14:22:33+05:30 WARNING: ddos.js IO exception ddos.js
    2019-11-15T14:22:33+05:30 INFO: ddos.js stopped
    -----------------------------------------------


    how to solve this issue?
    please help me.

    ReplyDelete
    Replies
    1. Did you modify the ddos.js script to match your ONOS setup? You need to set the user, password, and onos variables for your ONOS instance.

      Delete
    2. I gave
      user :onos
      password :rocks
      ONOS :127.0.0.1
      but its not working
      its shows the same output
      ----------------------------------------
      2019-11-15T14:22:33+05:30 WARNING: ddos.js IO exception ddos.js
      2019-11-15T14:22:33+05:30 INFO: ddos.js stopped
      ------------------------------------

      what I do?did you have any suggestions??
      please help me

      Delete
    3. The WARNING: ddos.js IO exception ddos.js indicates that the ddos.js script couldn't be found. sFlow-RT references files relative to it's home directory (sflow-rt) and if you run the commands in this example the ddos.js script needs to be in the sflow-rt directory.

      Delete
  7. hai mr peter, i get error

    2019-12-10T00:54:37+07:00 INFO: Starting sFlow-RT 3.0-1441
    2019-12-10T00:54:42+07:00 INFO: Version check, 3.0-1449 available
    2019-12-10T00:54:42+07:00 INFO: Listening, sFlow port 6343
    2019-12-10T00:54:46+07:00 INFO: Listening, HTTP port 8008
    2019-12-10T00:54:47+07:00 INFO: ddos.js started
    2019-12-10T00:54:47+07:00 INFO: app/mininet-dashboard/scripts/metrics.js started
    2019-12-10T00:54:47+07:00 INFO: app/flow-trend/scripts/top.js started
    2019-12-10T00:54:47+07:00 INFO: app/trace-flow/scripts/trace.js started
    2019-12-10T01:00:50+07:00 WARNING: ddos.js ddos.js#48 IO error java.net.SocketTimeoutException: Read timed out
    2019-12-10T01:00:50+07:00 INFO: ddos.js stopped

    Can you help me ? thanks

    ReplyDelete
    Replies
    1. The error indicates that the ddos.js script cannot connect to the ONOS REST API. Is ONOS running? Is the REST API enable? Do you have the correct address configured in the onos variable in the script?

      Delete
    2. i try running again and suddenly it can, but there was no traffic blocking. is the REST API must be activated although script can be run ?

      lutfianto@lutfianto:~/sflow-rt$ sudo env RTPROP=-Dscript.file=ddos.js ./start.sh[sudo] password for lutfianto:
      2019-12-10T17:06:27+07:00 INFO: Starting sFlow-RT 3.0-1441
      2019-12-10T17:06:30+07:00 INFO: Version check, 3.0-1450 available
      2019-12-10T17:06:31+07:00 INFO: Listening, sFlow port 6343
      2019-12-10T17:06:33+07:00 INFO: Listening, HTTP port 8008
      2019-12-10T17:06:33+07:00 INFO: ddos.js started
      2019-12-10T17:06:33+07:00 INFO: app/mininet-dashboard/scripts/metrics.js started
      2019-12-10T17:06:33+07:00 INFO: app/flow-trend/scripts/top.js started
      2019-12-10T17:06:33+07:00 INFO: app/trace-flow/scripts/trace.js started
      2019-12-10T17:07:02+07:00 INFO: blocking 10.0.0.3,53

      i put onos in docker. How to enable REST API ? is it right to active it with activate org.onosproject.restdb and org.onosproject.drivers.ciena.waveserver. and create json file then upload in onos like this reference https://wiki.onosproject.org/display/ONOS/REST.

      May i have your e-mail ? Thank for your help.

      Delete
    3. Are you sure it isn't blocking? It looks like the REST call was successfully applied. You will still see traffic arriving at the first switch port. You can tell if it is being blocked because the trend lines for the upstream ports will drop - the gold line in the Mininet Dashboard screen shot in this article. You can also confirm that the traffic was dropped by looking at the topology view - the link widths indicate traffic.

      Delete