I'm talking about the control traffic. In wireshark I apply a filter related only to SYN packet and the destination of the attack. Yesterday I've tried to use pypy and, when everything works, the result is very close to what I expect (packets by the attackers + few packets retransmitted). There is still a little problem. Every simulation I print a file with all the attackers seen by the controller and, sometimes, some of them is missing. In that case I have a surplus of packets (3 or 4 times what I expect). The behavior is not uniform in every case.
Thanks 2014-05-30 5:36 GMT+02:00 Murphy McCauley <murphy.mccau...@gmail.com>: > On May 28, 2014, at 3:50 AM, Silvia Fichera <fichera....@gmail.com> wrote: > > > Dear all, > > I have a network with an hundred hosts in which most of them perform > SYN-Flood attack. My implementation foresees a threshold to detect the > attack (Controller tests the source pretending to be the real destination > since the source doesn't complete 3-way handshake procedure. Only the > honest source can talk to the real destination of the attack) and install a > dropping rule on first switch when the threshold exceed. > > This design sounds like potentially a very great amount of traffic gets > sent to a controller over the OpenFlow connection. > > > I am able to count the number of syn received by the controller with a > counter that I added in it (I expect this should be equal to the number of > the attackers times the threshold, but it is not so ), and if I compare > this number with Wireshark capture I see a lot of packets more. > > A Wireshark capture of what? The control traffic, or the normal data > plane traffic? > > > There is a reason for this behavior? Could be because of the > responsiveness of the controller? > > It certainly could be because of the responsiveness of the controller. > > Have you checked the OVS log? You may find interesting log messages such > as "dropping packet-in due to queue overflow". > > You could try running POX using PyPy and see if your numbers get closer. > > > Moreover, I know that Pox is single thread. There is any buffer in which > incoming packets are queued? > > Within POX, they're handled immediately. But there are buffers in the > system, e.g., in the networking stack on the controller machine and the > switch machine. > > -- Murphy -- Silvia Fichera
