search

noxrepo / pox

The POX network software platform
https://noxrepo.github.io/pox-doc/html/
Apache License 2.0
619 stars 470 forks source link

[Help] Instruct switch to drop all packets from affected DDoS port #259

Closed lorenzomonta closed 3 years ago

lorenzomonta commented 3 years ago

I am writing code to mitigate DDoS attacks. I can currently identify the switch ports for all switches from which DoS attacks originate. I can't figure out how I can, given the port and dpid of the switch, instruct the switch to drop all packages coming only from the affected port. So maybe I could use update the switch's flow table? but how I could that? Finally, when the DDoS attack is over, how can I remove that rule? Can you help me? Thanks!

MurphyMc commented 3 years ago

My OpenFlow is rusty, but I think the core of it should be something like this...

import libopenflow_01 as of

# Add rule that drops
msg = of.ofp_flow_mod()
msg.match.in_port = BLOCK_PORT
core.openflow.sendToDPID(BLOCK_DPID, msg)

# Remove rule that drops
msg = of.ofp_flow_mod(command = of.OFPFC_DELETE_STRICT)
msg.match.in_port = BLOCK_PORT
core.openflow.sendToDPID(BLOCK_DPID, msg)
lorenzomonta commented 3 years ago

My OpenFlow is rusty, but I think the core of it should be something like this...


import libopenflow_01 as of

# Add rule that drops

msg = of.ofp_flow_mod()

msg.match.in_port = BLOCK_PORT

core.openflow.sendToDPID(BLOCK_DPID, msg)

# Remove rule that drops

msg = of.ofp_flow_mod(command = of.OFPFC_DELETE_STRICT)

msg.match.in_port = BLOCK_PORT

core.openflow.sendToDPID(BLOCK_DPID, msg)

Thank you very very much!! It works fine! Where I can read some documentation about Openflow using Python with some example?

Thanks a lot!

MurphyMc commented 3 years ago

A few possibilities:

Good luck!

lorenzomonta commented 3 years ago

Thank you very much, you have been very helpful! Thank you very much!