On May 28, 2014, at 3:50 AM, Silvia Fichera <fichera....@gmail.com> wrote:
> Dear all, > I have a network with an hundred hosts in which most of them perform > SYN-Flood attack. My implementation foresees a threshold to detect the attack > (Controller tests the source pretending to be the real destination since the > source doesn't complete 3-way handshake procedure. Only the honest source can > talk to the real destination of the attack) and install a dropping rule on > first switch when the threshold exceed. This design sounds like potentially a very great amount of traffic gets sent to a controller over the OpenFlow connection. > I am able to count the number of syn received by the controller with a > counter that I added in it (I expect this should be equal to the number of > the attackers times the threshold, but it is not so ), and if I compare this > number with Wireshark capture I see a lot of packets more. A Wireshark capture of what? The control traffic, or the normal data plane traffic? > There is a reason for this behavior? Could be because of the responsiveness > of the controller? It certainly could be because of the responsiveness of the controller. Have you checked the OVS log? You may find interesting log messages such as "dropping packet-in due to queue overflow". You could try running POX using PyPy and see if your numbers get closer. > Moreover, I know that Pox is single thread. There is any buffer in which > incoming packets are queued? Within POX, they're handled immediately. But there are buffers in the system, e.g., in the networking stack on the controller machine and the switch machine. -- Murphy
