I implement an SDN network with an RYU controller. I simulate a DNS amplification reflection attack.
Now I need to recognize legitimate from illegitimate DNS responses by reading some flags in the DNS header.
Does anybody have an idea how it is possible to read DNS flags in the RYU controller?
Thank you
Related
I am facing a problem with IBM Datapower XG45.7.0.0.0.
When I am connecting to an external service using DP, the source IP of DP is being picked up randomly among the 3 available eth interfaces. I know this has performance and stability benefits. However, this is causing great deal of pain in the firewall config. As a tactical solution, is there a way to ensure that the traffic is send from any one fixed eth interface?
Sure, normally you should make sure only one NIC has a default gateway (and that would in most cases be the NIC facing the Internet).
The two other NIC's should only have static routes and set for the various subnets they should serve.
If you don't have a need for different IP addresses for outbound (egress) traffic you might want to use only one NIC and set two additional Secondary IP addresses instead.
That way you have three working IP address for ingress (inbound) traffic but only one IP will be used for egress.
VPNs like Cisco any-connect normally route all traffic through their own network interface.
Would such VPNs still be able to route all traffic even if one binds a socket(client socket in my case) from an app to another network interface.
There are many ways to make a VPN, but you can view most of them as having three primary components
A tunnel interface - a virtual network interface that is listed along with your real network interfaces (on linux you should see in ip link show). The interface implements a protocol that abstracts all the links between the VPN client and server to make it seem like they are on a simpler network
A routing rule - a routing rule that tells your computer what data to send through the tunneling interface and what packets to send through your normal network interfaces. This rule can be as simple as send all packets through the tunneling interface
A cryptographic algorithm - the method of making sure the packets are encrypted and is normally abstracted by the tunneling interface
So to answer your question, you still have access to the other network interfaces. As long you you can bind to it (layer 2 API calls) or listen to it (layer 3 routing rules) then you can access it in a useful way. I recommend looking at your routing table after the VPN is established to get a better idea of what is going on.
I have one or more virtual machines on Debian host and two physical eth interfaces. I want to split bandwidth between eths (both for downlink and one for uplink). Is it possible with openvswitch and openflow?
The short answer is that it should be possible with OVS and OpenFlow. With OVS you can connect your VM's virtual ports and the server's physical interfaces.
Without thinking too much, you can load balancing the traffic by:
Installing a flow to direct any VM packet to your uplink port. This flow should rewrite the src IP and MAC as the ones from the downlink interface, so that it will look like it is being sent through that port.
Keep in mind that you might take your virtual ports configuration into account, and that you need some kind of mapping (something like NAT), to get the packets correctly returned to its respective VM. You can take a look in a NAT implementation, for the Ryu controller, to get some inspiration.
Until now I know all network devices have IP addresses because someone may want to send something to it. But no one wants to send a packet to a device like a firewall or load balancer, as they just connect networks. I wonder if they have an IP address or not.
A firewall or loadbalancer will have an IP address as you need to direct the packets to either of the devices for it to work it's magic, if its a firewall then you will want to block outgoing or incoming traffic, if you have loadbalancers then you will want to let that decide which node behind the LB that is able to process the incoming request.
Not always. Some proxy devices are just 'bumps in the wire'.
I understand that UDP resides on the transport layer and IP on the internet layer. I also get that they're both connectionless and unreliable. Then what is the point of UDP when we already have IP? The distinction is not very clear. Any help on this is greatly appreciated. Thanks!
Then what is the point of UDP when we already have IP?
To multiplex services. The UDP port number can differentiate between multiple services on the same host, using the same L3 identification. Using IP only it wouldn't be possible to host multiple services on the same station and easily differentiate between them.
Also, consider the case of UDP over IPv6. Since IPv6 doesn't have error-checking somebody has to perform it: the Checksum field of UDP is not optional.
Once a packet reaches a host using its IP address, the packet needs to be given to one of the applications on this machine. To determine which application should get the packet, it needs demultiplexing logic, which is based on ports. UDP has port information which is used by IP to deliver the packet to appropriate application.