Sflow-RT BlackHole fails to advertise prefixes

109 views
Skip to first unread message

gg

unread,
Nov 16, 2020, 2:05:03 PM11/16/20
to sFlow-RT
Hi Peter,

Whenever I try to use a ddos.conf file it's failing to advertise RTBH routes. What am I doing wrong?

docker run --rm --net=host --name=sflow-rt -v ${PWD}/sflow-rt/ddos-protect:/sflow-rt/app/ddos-protect -v ${PWD}/sflow-rt/ddos.conf:/sflow-rt/ddos.conf --sysctl net.ipv4.ip_unprivileged_port_start=0 sflow/sflow-rt -Dbgp.start=yes -Dbgp.port=179 -Dhttp.hostname=127.0.0.1 -Dsystem.propertyFiles=/sflow-rt/ddos.conf

2020-11-16T18:52:08Z INFO: Starting sFlow-RT 3.0-1535
2020-11-16T18:52:09Z INFO: Version check, running latest
2020-11-16T18:52:09Z INFO: Listening, BGP port 179
2020-11-16T18:52:10Z INFO: Listening, sFlow port 6343
2020-11-16T18:52:10Z INFO: Listening, HTTP port 8008
2020-11-16T18:52:10Z INFO: app/ddos-protect/scripts/ddos.js started
2020-11-16T18:52:22Z INFO: BGP open YYY.YYY.YYY.YYY 63853
2020-11-16T18:52:22Z INFO: BGP open XXX.XXX.XXX.XXX 55871
2020-11-16T18:52:28Z INFO: DDoS drop icmp_flood ZZZ.ZZZ.ZZZ.ZZZ local 8
2020-11-16T18:52:28Z WARNING: DDoS failed, router XXX.XXX.XXX.XXX, icmp_flood ZZZ.ZZZ.ZZZ.ZZZ local 8
2020-11-16T18:52:28Z WARNING: DDoS failed, router YYY.YYY.YYY.YYY, icmp_flood ZZZ.ZZZ.ZZZ.ZZZ local 8

I've check tcpdump and there is BGP traffic, but no RTBH advertisements.

Contents of ddos.conf:

#http.hostname=127.0.0.1
#bgp.start=yes
#bgp.port=179
ddos_protect.router=XXX.XXX.XXX.XXX,YYY.YYY.YYY.YYY
ddos_protect.mode=automatic
ddos_protect.id=HHH.HHH.HHH.HHH
ddos_protect.router.0.agent=XXX.XXX.XXX.XXX
ddos_protect.router.1.agent=YYY.YYY.YYY.YYY
ddos_protect.nexthop=192.0.2.1 
ddos_protect.community=64666:666
ddos_protect.icmp_flood.action=drop
ddos_protect.icmp_flood.threshold=10000
ddos_protect.icmp_flood.timeout=30
#ddos_protect.bgpgroup=local
ddos_protect.group.local=ZZZ.ZZZ.ZZZ.ZZZ
ddos_protect.syslog.host=SSS.SSS.SSS.SSS

Files inside docker container:

~ $ ls -l
total 32
drwxr-xr-x    1 sflowrt  sflowrt       4096 Nov 16 18:52 app
-rw-r--r--    1 root     root           547 Nov 16 18:52 ddos.conf
drwxr-xr-x    2 sflowrt  sflowrt       4096 Nov 13 01:31 extras
-rwxr-xr-x    1 sflowrt  sflowrt        493 Nov 12 20:16 get-app.sh
drwxr-xr-x    2 sflowrt  sflowrt       4096 Nov 13 01:31 lib
drwxr-xr-x    6 sflowrt  sflowrt       4096 Nov 13 01:31 resources
-rwxr-xr-x    1 sflowrt  sflowrt        266 Nov 12 20:16 start.sh
drwxr-sr-x    3 sflowrt  sflowrt       4096 Nov 16 18:52 store

~ $ ls -l app/
total 4
drwxr-xr-x    5 root     root          4096 Nov 13 18:36 ddos-protect

~ $ ls -l app/ddos-protect/
total 16
-rw-r--r--    1 root     root          1084 Nov  6 15:26 LICENSE
-rw-r--r--    1 root     root           689 Nov  6 15:26 README.md
drwxr-xr-x    5 root     root          4096 Nov  6 15:26 html
drwxr-xr-x    3 root     root          4096 Nov 16 18:15 scripts

~ $ ls -l app/ddos-protect/scripts/
total 72
-rw-r--r--    1 root     root         29245 Nov 16 17:49 ddos.js
-rw-r--r--    1 root     root         35935 Nov 16 17:48 ddos.js.bak
drwxr-xr-x    2 root     root          4096 Nov  6 15:26 inc

ddos.js is the original one from ddos-protect, ddos.js.bak is a modified version.

When i run it with all properties on the cmd line it works fine.

Peter Phaal

unread,
Nov 16, 2020, 5:56:40 PM11/16/20
to sFlow-RT
I managed to reproduce the problem. Thanks for the detailed information.

The following line in your config has a trailing whitespace:
ddos_protect.nexthop=192.0.2.1 

If you remove the space it should work. I will fix the getSystemProperty() function in sFlow-RT to remove leading and trailing white space to avoid this type of problem in future.

Peter Phaal

unread,
Nov 16, 2020, 6:48:42 PM11/16/20
to sFlow-RT
We just uploaded version 3.0-1536 that includes a fix for the whitespace issue.

gaston gutierrez

unread,
Nov 16, 2020, 6:50:22 PM11/16/20
to Peter Phaal, sFlow-RT
Ah, awesome, that worked, I would have never noticed that. Thank you!

--
You received this message because you are subscribed to a topic in the Google Groups "sFlow-RT" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sflow-rt/HWS2eDV_U5U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sflow-rt+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sflow-rt/455124b2-5651-4a20-9755-7241530c40bcn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages