-
Notifications
You must be signed in to change notification settings - Fork 654
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nProbe + ntopng not showing UDP DDOS fragments #8744
Comments
Hi @melicherm is it possible to have a pcap / small portion of that attack (in case we will talk by email)? |
@MatteoBiscosi - we have just this dump: Frame 15: 1490 bytes on wire (11920 bits), 1490 bytes captured (11920 bits) on interface team0.295, id 0 Hope this helps. Will ask for .pcap if it's available. DST IP is hidden. |
@MatteoBiscosi - got the .pcap (around 1Mil packets available @1.2GB) i have extracted 200 packets. Would like to send it to you per email - 256 KB. Can you give me your address? Thank you! |
@melicherm Please send me the URL from which I can download the pcap. My email is deri@ntop.org |
using this setup
and the pcap you sent us, we see the traffic. Can you please check how your sFlow exporter behaves in case of fragmented traffic? Theoretically, it should not matter. |
Hi, if i load the same attack .pcap (1.2G) there is some DNS, ICMP traffic, that i see in nprobe. Maybe that is what you are seeing? But if i use only the UDP fragmented packets extracted from the whole attack i don't see anything. This is the nprobe+ntop setup: cat /etc/nprobe/nprobe.conf --collector-port=6343 cat /etc/ntopng/ntopng.conf | grep -v # I have put only the UDP fragmented packets in an .pcap and used tcpreplay with 2 routers to simulate the same thing that happened in production. The traffic is routed through this router with sFlow activated: I see around 5Gbit/s of UDP - only fragments - of traffic on the interface. The router sends sflow packets to nProbe Interface PHY Protocol InUti OutUti inErrors outErrors here is the sFlow input to nprobe from the router: So traffic from router is definitely coming in the server as sFlow. At an very high rate -> because sampling is 1024 and there is 500K pps going through the router as the attack tcpdump -i eno8303 port 6343 -nvvv 13:05:10.966214 IP (tos 0x0, ttl 254, id 25696, offset 0, flags [none], proto UDP (17), length 1192) If i check the Lo interface - i see only around 4-5 packets every 5 seconds: tcpdump -i lo port 5556 -nvvve 23:11:23.030753 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 887: (tos 0x0, ttl 64, id 61592, offset 0, flags [DF], proto TCP (6), length 873) 13:11:49.357423 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 29060, offset 0, flags [DF], proto TCP (6), length 52) 23:11:23.030780 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 29060, offset 0, flags [DF], proto TCP (6), length 52) In this setup ntop does not see any flows: if i run the nprobe as: 18/Oct/2024 13:53:51 [nprobe.c:12942] nProbe started successfully Based on the first nprobe .cfg file i have in /etc/nprobe/nprobe.conf the nprobe sees the flows: 21M of packets, collected 1833 UDP stats, but nothing got exported. |
Based on the sflow data (which seems correct - -> sflow-udp-in.pcap.zip i think nprobe cannot create a flow from the data it has -> e.g. because it's just UDP frament only src IP and dst IP is known... so no ports, etc are knows. Presumably nprobe should somehow push the data to ntopng as unknown / unknown-fragments type or something, so users can see the data and filter them. this is nprobe in debug: startSample ---------------------- but closing the nprobe with ^C: @lucaderi can you please check if my understanding is correct? |
Hello dear community,
based on our latest DDOS attack- that we have encountered - we found out, that around 20Gbit of traffic was not visible in ntopng.
It seems that nProbe / ntopng ignores UDP fragments. We think nProbe or ntopng checks for valid flows. Because a DDOS does not need to use valid flow packets -> e.g. the flow does not have a start packet and it's just random data in UDP fragments -> they are invisible using nptobe+ntopng.
Could someone check if my assumption is OK?
Environment:
How did you reproduce it?
UDP packets, random length, random data inside packets send out over a router that has sFlow -> nProbe -> ntopng and look in flows to find nothing.
Thank you community!
The text was updated successfully, but these errors were encountered: