DDoS-Protect Events handling
67 views
Skip to first unread message
gg
Nov 9, 2020, 3:50:26 PM11/9/20
to sFlow-RT
Hi Peter,
Looking at ddos-protect, I'm trying to handle an event every time a threshold is exceeded, even if one is already being handled. In other words, let's say "ddos_protect_icmp_flood" threshold has been exceed and a control has been applied to the corresponding IP address, I would like to still get events for that same threshold being exceeded, and for example, update the timeout, so I can keep the control applied for as long as the attack exists, and not wait for a timeout and re-apply the control.
GG
Peter Phaal
Nov 9, 2020, 5:06:35 PM11/9/20
to sFlow-RT
You can use the thresholdTriggered() function to check the status of a threshold to see if it is still being triggered. For example, ddos-protect uses this check to prevent the removal of a control if the attack is still being observed:
It may not be possible to know if the attack is ongoing. For example, if a flowspec rule is propagated upstream, then the traffic will be blocked before it gets to your network and so you won't know if the attack is still in progress. The timeout removing the flowspec rule will allow attack traffic through, triggering a new threshold event which will re-implement the flowspec filter. This process happens within seconds and so very little attack traffic gets through.
gaston gutierrez
Nov 9, 2020, 5:14:15 PM11/9/20
to Peter Phaal, sFlow-RT
Peter,
If I understand correctly, thresholdTriggered() will return True for threshold_t seconds after the threshold was exceeded?
Regards
GG
--
You received this message because you are subscribed to a topic in the Google Groups "sFlow-RT" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sflow-rt/OFJhjhmVjE0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sflow-rt+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sflow-rt/c98af13f-9434-4998-b010-2127ac05a62bn%40googlegroups.com.
Peter Phaal
Nov 9, 2020, 5:20:59 PM11/9/20
to sFlow-RT
Actually, the threshold timeout is used to provide hysteresis. The value needs to return below the threshold and remain there for the timeout interval before the threshold will re-arm. The thresholdTriggered() function will return true once the threshold triggers and remain true until the threshold timeout has expired.
gg
Nov 11, 2020, 11:46:47 AM11/11/20
to sFlow-RT
Peter,
Is it ok to assume that the value of an event for an exceeded threshold is the highest value obtained before handling the event?
For example, for a threshold of 5000 fps, I get the following value: "value": 5236.811646006986,
{
"eventID": 2,
"agent": "XXX.XXX.XXX.XXX",
"metric": "ddos_protect_icmp_flood",
"values": [
1,
28
],
"threshold": 5000,
"flowKey": "YYY.YYY.YYY.YYY,local,8",
"thresholdID": "ddos_protect_icmp_flood",
"dataSource": "548",
"value": 5236.811646006986,
"timestamp": 1605112319525
},
Regards,
Gaston
Peter Phaal
Nov 11, 2020, 12:19:38 PM11/11/20
to sFlow-RT
The value reported in the event is the first value that crossed the threshold (and the value at the time the event was generated). You can query for the current value using the flowValue() function, e.g. for the event you gave currentValue = flowValue(event.agent, event.dataSource + '.' + event.metric, event.flowKey);
sFlow-RT's analytics engine operates asynchronously, continuously updating values as sFlow messages are received, so the values are constantly changing. You can control the variability by setting the t value when you define flows. This determines the period over which the flow is averaged:
The ddos_protect.flow_seconds configuration setting is used to set the flow t values (the default is a 2 second moving average).
gg
Nov 11, 2020, 12:55:59 PM11/11/20
to sFlow-RT
Thank you for the quick reply, this leads me to the next questions...
Assuming I have 2 sflow agents, and flows matching "ddos_protect_icmp_flood" flow definition, the event will be generated based on the first agent that exceeds the threshold? What if the other agent's matching flows also exceeds the threshold? Would that event also be generated? Values for those events will be per agent/datasource, right? Any way to set the aggregate value for the flows through both agents and setting a threshold for that value?
The function flowValue requires defining agent/flowsource. How could I get a value for the aggregate value, considering it's based on flows on different agent/flowsource. Should I do that manually?
Peter Phaal
Nov 11, 2020, 4:13:55 PM11/11/20
to sFlow-RT
You are correct, if the traffic flows through multiple data sources / agents then multiple events will be generated. DDoS Protect de-duplicates the events with the following code:
You can use the activeFlows() query to roll up traffic across all agents. The DDoS Protect charts are generated using this method:
The method is complicated by the fact that DDoS Protect combines IPv4 and IPv6 versions of each metric into a single trend.
The following article walks through the way that sFlow-RT organizes counter and flow metrics and provides examples that can be run on your laptop:
The sFlow-RT thresholding mechanism operates at the data source level. This provides the fastest response and generates events that tie back to the load on specific network resources (links, ports) that can then be protected by control actions. In the DDoS use case, sFlow packet sampling is typically performed on ingress, so you will be triggering on traffic flooding a WAN link.
If you want to trigger actions based on metrics that span more than one data source then you can use the intervalHandler() to periodically query metrics and trigger actions based on aggregate metrics. The following elastic load balancing article provides an example:
Reply all
Reply to author
Forward
0 new messages