Tuesday, October 20, 2020

Docker DDoS testbed

Docker testbed describes how to use Docker Desktop to build a test network to experiment with real-time sFlow streaming telemetry and analytics. This article extends the testbed to experiment with distributed denial of service (DDoS) detection and mitigation techniques described in Real-time DDoS mitigation using BGP RTBH and FlowSpec.

Start a Host sFlow agent using the pre-built sflow/host-sflow image:
docker run --rm -d -e "COLLECTOR=host.docker.internal" -e "SAMPLING=10" \
--net=host -v /var/run/docker.sock:/var/run/docker.sock:ro \
--name=host-sflow sflow/host-sflow
Start ExaBGP using the pre-built sflow/exabgp image. ExaBGP connects to the sFlow-RT analytics software and displays BGP RTBH / Flowspec controls sent by sFlow-RT:
docker run --rm sflow/exabgp
In a second terminal window, start an instance of the sFlow-RT analytics software using the pre-built sflow/ddos-protect image:
GW=`docker network inspect bridge -f '{{range .IPAM.Config}}{{.Gateway}}{{end}}'`

SUBNET=`docker network inspect bridge -f '{{range .IPAM.Config}}{{.Subnet}}{{end}}'`

docker run --rm -p 6343:6343/udp -p 8008:8008 -p 1179:1179 --name=sflow-rt \
sflow/ddos-protect -Dddos_protect.router=$GW -Dddos_protect.as=65001 \
-Dddos_protect.enable.flowspec=yes -Dddos_protect.group.local=$SUBNET \
-Dddos_protect.mode=automatic \
-Dddos_protect.udp_amplification.action=filter \
Open the sFlow-RT dashboard at http://localhost:8008/
The sFlow Agents gauge confirms that sFlow is being received from the Host sFlow agent. Now access the DDoS Protect application at http://localhost:8008/app/ddos-protect/html/index.html
The BGP chart at the bottom right verifies that BGP connection has been established so that controls can be sent to ExaBGP, which will display them in the terminal window.

Finally, hping3 can be used to generate simulated DDoS attacks. Start a simulated DNS amplification attack using the pre-built sflow/hping3 image:
GW=`docker network inspect bridge -f '{{range .IPAM.Config}}{{.Gateway}}{{end}}'`

docker run --rm sflow/hping3 --flood --udp -k -a -s 53 $GW
The attack shows up immediately in the DDoS protect dashboard, http://localhost:8008/app/ddos-protect/html/index.html
The udp_amplification chart shows the traffic rising to cross the threshold and trigger the control shown in the Controls chart.
The exabgp log shows the Flowspec rule that was sent to block the attack, filtering traffic to with UDP source port 53. Type CNTRL+C in the hping3 window to end the attack.

This testbed provides a convenient way to become familiar with the tools to automatically mitigate DDoS attacks. The following articles provide additional information on moving the solution into production: Real-time DDoS mitigation using BGP RTBH and FlowSpecPushing BGP Flowspec rules to multiple routers, and Monitoring DDoS mitigationReal-time network and system metrics as a service provides background on the sFlow-RT analytics platform running the DDoS Protect application.


  1. hi Peter,
    Excuse me, I want to ask, what should I pay attention to the first time I use the image sflow/exabgp? i can't run "docker run --rm sflow/exabgp" like yours,
    i meet the error "not reloaded, no change found in the configuration",so what can i do?

    1. I haven't been able to reproduce the issue. I am running Docker version 19.03.13.

      What version of Docker are you using?

      Can you provide the full log output when you start exabgp (up to and including the error message?

  2. There is a mistake in the docker image sflow/exabgp because is trying to install the latest version of exabgp (pip3 install --no-cache exabgp) and the configuration file has changed in the new version (https://github.com/Exa-Networks/exabgp/wiki/Migration-from-3.4-to-4.0).

    As we can see in this image, its result in an error message: https://imgur.com/5GIxyZy

    I am doing my master thesis about how to enhance this DDOS protection, using entropy, for example but I can't do anything with the error :(

    I thought about these fast solutions:
    -Publish the docker image with the dockerfile to edit it.
    -Change pip3 install --no-cache exabgp to pip install git+https://github.com/igallar98/exabgp.git (with has the version 3 compatible with the configuration)
    -Update to the new configuration file syntax...

    Thanks a million and happy Xmas!

    1. I just tested the image on Docker Desktop 4.3.2 on a Macbook and it worked. What version and platform are you using for Docker?

      From the error message, it looks like the default value, host.docker.internal, for the PEER_ADDR environment variable isn't being resolved, resulting in an invalid configuration.

      Try setting the PEER_ADDR variable explicitly in your docker run command.

    2. Hi, Peter
      I'm have tried with Docker version 20.10.9, (build c2ea9bc) in Kali Linux 5.14 and with Docker version 19.03.13 (build 4484c46d9d) in Ubuntu 20.04 too.
      If I add the default value using --add-host=host.docker.internal:host-gateway as we can see in the image if I ping it is okay but the error is the same. https://imgur.com/a/So1eMN4

      I tried setting the PEER_ADDR variable (sudo docker run --rm sflow/exabgp -e "PEER_ADDR=") resulting in the same error. https://imgur.com/a/z2Dtqf4


    3. Since you are running docker on a Linux host, add the following argument to your docker run commands to define the host.docker.internal DNS entry, e.g.

      docker run --rm --add-host=host.docker.internal:host-gateway sflow/exabgp