NETOBSERV-1754 Add flow filter capability to filter on TCP flags

msherif1234 commented 3 months ago

Description

using flow filter with TCP flags we can detect TCP syn flood

using ebpf standalone sudo TARGET_HOST=127.0.0.1 TARGET_PORT=9999 ./bin/netobserv-ebpf-agent ENABLE_FLOW_FILTER=true FILTER_TCP_FLAGS="SYN" FILTER_PROTOCOL="TCP"

use hping3 to simulate TCP syn flood

sudo hping3 -c 15000 -d 120 -S -w 64 -p 80 --flood --rand-source 192.168.1.159
HPING 192.168.1.159 (wlp0s20f3 192.168.1.159): S set, 40 headers + 120 data bytes
hping in flood mode, no replies will be shown

we can get large volume TCP flows with flags = 'SYN' back to back, from different srcIP to port 80 HTTP with identical length indicating TCP syn attack

ipv4: 13:01:09.909571 wlp0s20f3 IP 106.238.112.253:42985 > 192.168.1.159:80: dscp: 0x0 protocol:tcp type: 0 code: 0 dir:1 bytes:174 packets:1 flags:2 ends: 13:01:09.909571 dnsId: 0 dnsFlags: 0x0000 dnsLatency(ms): 0 rtt(ns) 0 DropPkts: 0 DropBytes: 0 DropCause 0
ipv4: 13:01:09.909861 wlp0s20f3 IP 98.111.71.240:43017 > 192.168.1.159:80: dscp: 0x0 protocol:tcp type: 0 code: 0 dir:1 bytes:174 packets:1 flags:2 ends: 13:01:09.909861 dnsId: 0 dnsFlags: 0x0000 dnsLatency(ms): 0 rtt(ns) 0 DropPkts: 0 DropBytes: 0 DropCause 0
ipv4: 13:01:09.950127 wlp0s20f3 IP 86.75.75.51:43336 > 192.168.1.159:80: dscp: 0x0 protocol:tcp type: 0 code: 0 dir:1 bytes:174 packets:1 flags:2 ends: 13:01:09.950127 dnsId: 0 dnsFlags: 0x0000 dnsLatency(ms): 0 rtt(ns) 0 DropPkts: 0 DropBytes: 0 DropCause 0
ipv4: 13:01:10.226393 wlp0s20f3 IP 181.231.154.198:45517 > 192.168.1.159:80: dscp: 0x0 protocol:tcp type: 0 code: 0 dir:1 bytes:174 packets:1 flags:2 ends: 13:01:10.226393 dnsId: 0 dnsFlags: 0x0000 dnsLatency(ms): 0 rtt(ns) 0 DropPkts: 0 DropBytes: 0 DropCause 0
ipv4: 13:01:09.711814 wlp0s20f3 IP 94.238.144.182:41158 > 192.168.1.159:80: dscp: 0x0 protocol:tcp type: 0 code: 0 dir:1 bytes:174 packets:1 flags:2 ends: 13:01:09.711814 dnsId: 0 dnsFlags: 0x0000 dnsLatency(ms): 0 rtt(ns) 0 DropPkts: 0 DropBytes: 0 DropCause 0
ipv4: 13:01:09.731651 wlp0s20f3 IP 74.23.143.115:41392 > 192.168.1.159:80: dscp: 0x0 protocol:tcp type: 0 code: 0 dir:1 bytes:174 packets:1 flags:2 ends: 13:01:09.731651 dnsId: 0 dnsFlags: 0x0000 dnsLatency(ms): 0 rtt(ns) 0 DropPkts: 0 DropBytes: 0 DropCause 0

Dependencies

n/a

Checklist

If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that.

[ ] Will this change affect NetObserv / Network Observability operator? If not, you can ignore the rest of this checklist.
[ ] Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix (in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes).
[ ] Does this PR require product documentation?
- [ ] If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs.
[ ] Does this PR require a product release notes entry?
- [ ] If so, fill in "Release Note Text" in the JIRA.
[ ] Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc.
- [ ] If so, make sure it is described in the JIRA ticket.
QE requirements (check 1 from the list):
- [ ] Standard QE validation, with pre-merge tests unless stated otherwise.
- [ ] Regression tests only (e.g. refactoring with no user-facing change).
- [ ] No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team).

codecov[bot] commented 3 months ago

Codecov Report

Attention: Patch coverage is 4.16667% with 23 lines in your changes missing coverage. Please review.

Please upload report for BASE (main@7138dc8). Learn more about missing BASE report. Report is 9 commits behind head on main.

Files	Patch %	Lines
pkg/ebpf/flow_filter.go	4.34%	22 Missing :warning:
pkg/agent/agent.go	0.00%	1 Missing :warning:

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #367 +/- ## ======================================= Coverage ? 32.51% ======================================= Files ? 48 Lines ? 3629 Branches ? 0 ======================================= Hits ? 1180 Misses ? 2348 Partials ? 101 ``` | [Flag](https://app.codecov.io/gh/netobserv/netobserv-ebpf-agent/pull/367/flags?src=pr&el=flags&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=netobserv) | Coverage Δ | | |---|---|---| | [unittests](https://app.codecov.io/gh/netobserv/netobserv-ebpf-agent/pull/367/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=netobserv) | `32.51% <4.16%> (?)` | | Flags with carried forward coverage won't be shown. [Click here](https://docs.codecov.io/docs/carryforward-flags?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=netobserv#carryforward-flags-in-the-pull-request-comment) to find out more. | [Files](https://app.codecov.io/gh/netobserv/netobserv-ebpf-agent/pull/367?dropdown=coverage&src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=netobserv) | Coverage Δ | | |---|---|---| | [pkg/agent/config.go](https://app.codecov.io/gh/netobserv/netobserv-ebpf-agent/pull/367?src=pr&el=tree&filepath=pkg%2Fagent%2Fconfig.go&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=netobserv#diff-cGtnL2FnZW50L2NvbmZpZy5nbw==) | `10.00% <ø> (ø)` | | | [pkg/ebpf/bpf\_x86\_bpfel.go](https://app.codecov.io/gh/netobserv/netobserv-ebpf-agent/pull/367?src=pr&el=tree&filepath=pkg%2Febpf%2Fbpf_x86_bpfel.go&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=netobserv#diff-cGtnL2VicGYvYnBmX3g4Nl9icGZlbC5nbw==) | `0.00% <ø> (ø)` | | | [pkg/ebpf/tracer.go](https://app.codecov.io/gh/netobserv/netobserv-ebpf-agent/pull/367?src=pr&el=tree&filepath=pkg%2Febpf%2Ftracer.go&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=netobserv#diff-cGtnL2VicGYvdHJhY2VyLmdv) | `0.00% <ø> (ø)` | | | [pkg/agent/agent.go](https://app.codecov.io/gh/netobserv/netobserv-ebpf-agent/pull/367?src=pr&el=tree&filepath=pkg%2Fagent%2Fagent.go&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=netobserv#diff-cGtnL2FnZW50L2FnZW50Lmdv) | `35.85% <0.00%> (ø)` | | | [pkg/ebpf/flow\_filter.go](https://app.codecov.io/gh/netobserv/netobserv-ebpf-agent/pull/367?src=pr&el=tree&filepath=pkg%2Febpf%2Fflow_filter.go&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=netobserv#diff-cGtnL2VicGYvZmxvd19maWx0ZXIuZ28=) | `37.58% <4.34%> (ø)` | |

msherif1234 commented 3 months ago

/ok-to-test

github-actions[bot] commented 3 months ago

New image: quay.io/netobserv/netobserv-ebpf-agent:e714b5a

It will expire after two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=e714b5a make set-agent-image

msherif1234 commented 2 months ago

/ok-to-test

github-actions[bot] commented 2 months ago

New image: quay.io/netobserv/netobserv-ebpf-agent:6e859c2

It will expire after two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=6e859c2 make set-agent-image

msherif1234 commented 2 months ago

/ok-to-test

github-actions[bot] commented 2 months ago

New image: quay.io/netobserv/netobserv-ebpf-agent:20f17d0

It will expire after two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=20f17d0 make set-agent-image

msherif1234 commented 2 months ago

/approve

openshift-ci[bot] commented 2 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: msherif1234

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/netobserv/netobserv-ebpf-agent/blob/main/OWNERS)~~ [msherif1234] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

netobserv / netobserv-ebpf-agent