docker run --rm -d --privileged --name frr sflow/frrRun the following command to show the router configuration:
docker exec frr vtysh -c "show running-config"The results will be displayed:
Building configuration... Current configuration: ! frr version 7.5_git frr defaults traditional hostname ed9e435c6f3d no ipv6 forwarding log stdout ! router bgp 65000 bgp router-id 0.0.0.1 neighbor 192.168.65.2 remote-as 65001 neighbor 192.168.65.2 port 1179 neighbor 192.168.65.2 ebgp-multihop 255 neighbor 192.168.65.2 timers connect 10 ! address-family ipv4 unicast neighbor 192.168.65.2 route-map ALLOW-ALL in neighbor 192.168.65.2 route-map ALLOW-ALL out exit-address-family ! address-family ipv4 flowspec neighbor 192.168.65.2 activate neighbor 192.168.65.2 route-map ALLOW-ALL in neighbor 192.168.65.2 route-map ALLOW-ALL out exit-address-family ! address-family ipv6 unicast neighbor 192.168.65.2 activate neighbor 192.168.65.2 route-map ALLOW-ALL in neighbor 192.168.65.2 route-map ALLOW-ALL out exit-address-family ! address-family ipv6 flowspec neighbor 192.168.65.2 activate neighbor 192.168.65.2 route-map ALLOW-ALL in neighbor 192.168.65.2 route-map ALLOW-ALL out exit-address-family ! route-map ALLOW-ALL permit 100 ! ip nht resolve-via-default ! line vty ! end
Simulate a DDoS attack as describes in Docker DDoS testbed.
Now run the following command to see the Flowspec rule:
docker exec frr vtysh -c "show bgp ipv4 flowspec detail"
The following rule was sent to the router:
BGP flowspec entry: (flags 0x418) Destination Address 172.17.0.1/32 IP Protocol = 17 Source Port = 53 FS:rate 0.000000 received for 00:00:48 not installed in PBR Displayed 1 flowspec entries
The rule isn't installed in the policy based routing (PBR) table since the current version of FRRouting doesn't include the necessary Netfilter driver.
FRRouting software is widely used in open source network operating systems such as SONiC, OpenSwitch, and DENT. Once the Flowspec driver integration is complete, the white box switch hardware supported by these network operation systems will provide a cost effective method of mitigating DDoS attacks - combining the real-time visibility of sFlow with the real-time control capabilities of Flowspec.
No comments:
Post a Comment