On May 31, 2014, at 12:02 AM, Silvia Fichera <fichera....@gmail.com> wrote:
> I'm talking about the control traffic. In wireshark I apply a filter related > only to SYN packet and the destination of the attack. Yesterday I've tried to > use pypy and, when everything works, the result is very close to what I > expect (packets by the attackers + few packets retransmitted). > There is still a little problem. Every simulation I print a file with all the > attackers seen by the controller and, sometimes, some of them is missing. In > that case I have a surplus of packets (3 or 4 times what I expect). The > behavior is not uniform in every case. In those bad cases, you might check the OVS log. > > Thanks > > > > 2014-05-30 5:36 GMT+02:00 Murphy McCauley <murphy.mccau...@gmail.com>: > On May 28, 2014, at 3:50 AM, Silvia Fichera <fichera....@gmail.com> wrote: > > > Dear all, > > I have a network with an hundred hosts in which most of them perform > > SYN-Flood attack. My implementation foresees a threshold to detect the > > attack (Controller tests the source pretending to be the real destination > > since the source doesn't complete 3-way handshake procedure. Only the > > honest source can talk to the real destination of the attack) and install a > > dropping rule on first switch when the threshold exceed. > > This design sounds like potentially a very great amount of traffic gets sent > to a controller over the OpenFlow connection. > > > I am able to count the number of syn received by the controller with a > > counter that I added in it (I expect this should be equal to the number of > > the attackers times the threshold, but it is not so ), and if I compare > > this number with Wireshark capture I see a lot of packets more. > > A Wireshark capture of what? The control traffic, or the normal data plane > traffic? > > > There is a reason for this behavior? Could be because of the responsiveness > > of the controller? > > It certainly could be because of the responsiveness of the controller. > > Have you checked the OVS log? You may find interesting log messages such as > "dropping packet-in due to queue overflow". > > You could try running POX using PyPy and see if your numbers get closer. > > > Moreover, I know that Pox is single thread. There is any buffer in which > > incoming packets are queued? > > Within POX, they're handled immediately. But there are buffers in the > system, e.g., in the networking stack on the controller machine and the > switch machine. > > -- Murphy > > > > -- > Silvia Fichera
