Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add example workload (with syn attack) #111

Merged
merged 2 commits into from
Jun 16, 2022
Merged

add example workload (with syn attack) #111

merged 2 commits into from
Jun 16, 2022

Conversation

eranra
Copy link
Contributor

@eranra eranra commented Jun 1, 2022

The workload is based on GoogleCloudPlatform/microservices-demo
Syn attack is based on docker and an example from https://github.com/bilalcaliskan/syn-flood

@eranra eranra requested review from jpinsonneau and jotak June 1, 2022 08:27
@jotak
Copy link
Member

jotak commented Jun 1, 2022

is that something where you can leverage netobserv to spot the attack?
how would you demo that? (I'm interested if I can reuse that use-case in demo/talk :) )

@eranra
Copy link
Contributor Author

eranra commented Jun 1, 2022
edited

is that something where you can leverage netobserv to spot the attack? how would you demo that? (I'm interested if I can reuse that use-case in demo/talk :) )

Maybe this syn attack traffic is not "seen" by OVS/N ... I need to check more

We can see in the namespace level a lot of traffic into the sample-workload namespace (as expected)

image

And then focus on the frontend-external pod we see a lot of traffic from unknown sources

image

This is exactly what we expect to see in such a scenario.

@eranra
Copy link
Contributor Author

eranra commented Jun 6, 2022

/retest

@eranra
Copy link
Contributor Author

eranra commented Jun 6, 2022

@jpinsonneau I see strange amount of packets (on the edges) when I change the view to show the number of packets::

image

I was expecting a very small amount. And BTW; I see the same in the table ... so something is not making sense here:

image

@jotak
Copy link
Member

jotak commented Jun 7, 2022
edited

@eranra default payload length is 1400, it's consistent with the values that you have:
https://github.com/bilalcaliskan/syn-flood/blob/master/cmd/root.go#L24-L25
E.g. 98290400 / 67600 = 1454

(or you were expecting less packets, but why? isn't it the purpose to send as many packets as possible?)

@eranra
Copy link
Contributor Author

eranra commented Jun 7, 2022

@eranra default payload length is 1400, it's consistent with the values that you have: https://github.com/bilalcaliskan/syn-flood/blob/master/cmd/root.go#L24-L25 E.g. 98290400 / 67600 = 1454

(or you were expecting fewer packets, but why? isn't it the purpose to send as many packets as possible?)

I was expecting fewer packets (only one per flow with syn) ... it should be 1400 bytes total if I read the documentation correctly (and the code of the payload creation here https://github.com/bilalcaliskan/syn-flood/blob/ec6298dd2ffe52ea0f5d7eb62adc9ada5ac8d856/internal/raw/utils.go#L13 )))

We get a lot of packets per connection ... not what I expected

@jotak
Copy link
Member

jotak commented Jun 8, 2022

maybe with sampling = 1?

jotak
jotak reviewed Jun 9, 2022
View reviewed changes
.mk/ocp.mk
@@ -8,6 +8,9 @@ ocp-expose:
oc expose service loki || true
@loki_url=$$(oc get route loki -o jsonpath='{.spec.host}'); \
echo -e "\nAccess loki on OCP using: http://"$$loki_url"\n"
oc expose -n sample-workload service frontend-external || true
Copy link
Member

@jotak jotak Jun 9, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tend to use make ocp-expose just to create grafana/loki routes. Can you split in two different targets then? (maybe ocp-expose and ocp-expose-all, similarly to the deploy-all that deploys more than just the infra ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed (@jotak please review again that this fits your needs )

jotak
jotak approved these changes Jun 16, 2022
View reviewed changes
Copy link
Member

@jotak jotak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

@openshift-ci openshift-ci bot added the lgtm label Jun 16, 2022
@jotak
Copy link
Member

jotak commented Jun 16, 2022

/approve

@openshift-ci
Copy link

openshift-ci bot commented Jun 16, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jotak

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot merged commit fb59e57 into netobserv:main Jun 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jotak jotak jotak approved these changes

@jpinsonneau jpinsonneau Awaiting requested review from jpinsonneau

Assignees

@jotak jotak

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@eranra @jotak