Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NTop: Misc

PF_RING clustering vs ip fragmentation

  

 
NTop misc RSS feed   Index | Next | Previous | View Threaded


40312 at studenti

Mar 15, 2012, 11:12 AM

Post #1 of 9 (923 views)
Permalink
PF_RING clustering vs ip fragmentation
If I understand correctly, PF_RING calculates a hash (which is the same in
both directions of the flow) using packet header informations to distribute
software among subscribers in a pfring cluster if "cluster_per_flow" mode
is selected, like the pfring snort DAQ does. However, in case of fragmented
traffic, some fields like source & destination ports are present only in
the packet that contains the lvl4 header.

So, is enable_ip_defrag=1 needed to correctly distribute flows among
cluster instances in the case of fragmented traffic?

Thanks,
Alessandro.


cardigliano at ntop

Mar 15, 2012, 11:50 AM

Post #2 of 9 (891 views)
Permalink
Re: PF_RING clustering vs ip fragmentation [In reply to]
Alessandro
actually in order to correctly distribute fragmented traffic among cluster instances you need to set enable_ip_defrag=1 or to use cluster_per_flow_2_tuple, probably we will change the default cluster type to the latter.

Regards
Alfredo

On Mar 15, 2012, at 7:12 PM, Alessandro Guido wrote:

> If I understand correctly, PF_RING calculates a hash (which is the same in both directions of the flow) using packet header informations to distribute software among subscribers in a pfring cluster if "cluster_per_flow" mode is selected, like the pfring snort DAQ does. However, in case of fragmented traffic, some fields like source & destination ports are present only in the packet that contains the lvl4 header.
>
> So, is enable_ip_defrag=1 needed to correctly distribute flows among cluster instances in the case of fragmented traffic?
>
> Thanks,
> Alessandro.
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


40312 at studenti

Mar 15, 2012, 12:15 PM

Post #3 of 9 (889 views)
Permalink
Re: PF_RING clustering vs ip fragmentation [In reply to]
On Thu, Mar 15, 2012 at 7:50 PM, Alfredo Cardigliano
<cardigliano [at] ntop>wrote:

> Alessandro
> actually in order to correctly distribute fragmented traffic among cluster
> instances you need to set enable_ip_defrag=1 or to use
> cluster_per_flow_2_tuple, probably we will change the default cluster type
> to the latter.
>
> Regards
> Alfredo
>

Wouldn't setting cluster_mod to cluster_per_flow_2_tuple cause overload in
a cluster member in presence of NAT'd portion of the net?


cardigliano at ntop

Mar 15, 2012, 12:24 PM

Post #4 of 9 (885 views)
Permalink
Re: PF_RING clustering vs ip fragmentation [In reply to]
On Mar 15, 2012, at 8:15 PM, Alessandro Guido wrote:

> On Thu, Mar 15, 2012 at 7:50 PM, Alfredo Cardigliano <cardigliano [at] ntop> wrote:
> Alessandro
> actually in order to correctly distribute fragmented traffic among cluster instances you need to set enable_ip_defrag=1 or to use cluster_per_flow_2_tuple, probably we will change the default cluster type to the latter.
>
> Regards
> Alfredo
>
> Wouldn't setting cluster_mod to cluster_per_flow_2_tuple cause overload in a cluster member in presence of NAT'd portion of the net?

It could

Alfredo

> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc


deri at ntop

Mar 15, 2012, 1:00 PM

Post #5 of 9 (884 views)
Permalink
Re: PF_RING clustering vs ip fragmentation [In reply to]
Hi all,
my personal opinion is that for clusters (and only for clusters I think, at least for the time being) we need to balance on IPs only and forget anything above IP, including all the issues about fragmented packets as they are related to L4 and above.

What do you think?

Cheers Luca

On Mar 15, 2012, at 8:15 PM, Alessandro Guido wrote:

> On Thu, Mar 15, 2012 at 7:50 PM, Alfredo Cardigliano <cardigliano [at] ntop> wrote:
> Alessandro
> actually in order to correctly distribute fragmented traffic among cluster instances you need to set enable_ip_defrag=1 or to use cluster_per_flow_2_tuple, probably we will change the default cluster type to the latter.
>
> Regards
> Alfredo
>
> Wouldn't setting cluster_mod to cluster_per_flow_2_tuple cause overload in a cluster member in presence of NAT'd portion of the net?
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc


40312 at studenti

Mar 15, 2012, 1:26 PM

Post #6 of 9 (891 views)
Permalink
Re: PF_RING clustering vs ip fragmentation [In reply to]
I think that's reasonable and that PF_RING's User's Guide need better
documentation for pfring_set_cluster :)


deri at ntop

Mar 16, 2012, 2:22 AM

Post #7 of 9 (889 views)
Permalink
Re: PF_RING clustering vs ip fragmentation [In reply to]
On 03/15/2012 09:26 PM, Alessandro Guido wrote:
> I think that's reasonable and that PF_RING's User's Guide need better
> documentation for pfring_set_cluster :)
>
>
Would you be so kind to edit the guide and send us the text so we can
commit it?

thanks Luca

> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc


40312 at studenti

Mar 17, 2012, 3:52 PM

Post #8 of 9 (882 views)
Permalink
Re: PF_RING clustering vs ip fragmentation [In reply to]
If someone doesn't beat me before, I'll do it in a few weeks.


jovimon at gmail

Mar 30, 2012, 1:29 AM

Post #9 of 9 (846 views)
Permalink
Re: PF_RING clustering vs ip fragmentation [In reply to]
Following your advice, I tried to change the cluster mode on the pfring
snort daq, but didn't get it to work as expected.

Firstly, I tried to use it by setting a parameter, like in suricata
(--pfring-cluster-type=cluster_flow_2_tuple), without success.

Then, I changed this line in daq_pfring.c (line 110 in current SVN version):
pfring_rc = pfring_set_cluster(ring_handle, context->clusterid,
cluster_per_flow);
to this one:
pfring_rc = pfring_set_cluster(ring_handle, context->clusterid,
cluster_per_flow_2_tuple);

Is this modification correct or do I have to change something else?

I'm testing it with a custom rule we have in Snort that alerts us of
LOIC-like requests, alerting if a single user makes >350 HTTP GET requests
in <10 seconds. In my old snort instance (2.8.6.1 and BPF filters to split
traffic) it fires, but in the new snorts (16 instances balanced with
pf_ring) i cannot get it to fire under the same exact conditions.

Thank you very much,
Jose Vila.
CSIRT-cv.

NTop misc RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.