SONiC icon indicating copy to clipboard operation
SONiC copied to clipboard

Published 20 hours ago verified publisher icon sonic-net

DHCP DOS Mitigation HLD in SONiC

Open muhammadalihussnain opened this issue 1 year ago • 13 comments

This Design Provides DHCP DOS Attack Mitigation Support in HLD

Repo PR title State
sonic-swss SwSS Chnages for DHCP DoS Mitigation Feature ![GitHub issue/pull request detail] (https://img.shields.io/github/pulls/detail/state/Azure/sonic-swss/3130 [img.shields.io])
sonic-buildimage YANG Support for DHCP DoS Mitigation ![GitHub issue/pullrequest detail] (https://img.shields.io/github/pulls/detail/state/Azure/sonic-buildimage/18873) [img.shields.io]
sonic-utilities Utilities Changes for DHCP DoS Mitigation Feature ![GitHub issue/pull request detail] (https://img.shields.io/github/pulls/detail/state/Azure/sonic-utilities/3301 [img.shields.io])
sonic-buildimage DHCP DoS Logger for DHCP DoS Mitigation Feature ![GitHub issue/pullrequest detail] (https://img.shields.io/github/pulls/detail/state/Azure/sonic-buildimage/18947) [img.shields.io]
sonic-mgmt Test Plan and Test Case for DHCP DOS Mitigation Feature ![GitHub issue/pullrequest detail] (https://img.shields.io/github/pulls/detail/state/Azure/sonic-mgmt/12869) [img.shields.io]

muhammadalihussnain avatar Apr 02 '24 10:04 muhammadalihussnain

Community review recording https://zoom.us/rec/share/kZGlzxdhqBbPVIIwEDk_XJZ7mQMW9zj0V3ivIhvYV9GRizRwsKtiNL_wt11NisOe.Cbuvg7vUT2a9mKOu

zhangyanzhao avatar Apr 23 '24 15:04 zhangyanzhao

@dgsudharsan @prsunny @venkatmahalingam @lguohan We have explored rate limit via ACL. Currently ACL doesn't have capability of rate limit. COPP doesn't rate-limit at interface level. can you pls provide your suggestions, regarding implementation of rate limit at interface level for ASIC.

ridahanif96 avatar Apr 24 '24 13:04 ridahanif96

A large number of DHCPv6 messages may also cause the resources of the DHCP Server to be consumed. Whether to consider supporting the rate limit of DHCPv6 messages?

micas-net avatar Apr 26 '24 01:04 micas-net

Hi @dgsudharsan @prsunny @venkatmahalingam @lguohan We have modified design. We are proposing change in Behavior to work with this design by removing DHCP rate limit of 300 packets per second implemented through CoPP and replacing it with port-level rate limits implemented in the kernel via Linux Traffic Control. Please review and suggest should we bring it again to Community review. We are open for design modifications/suggestions

muhammadalihussnain avatar Apr 27 '24 11:04 muhammadalihussnain

@zhangyanzhao Hi Yanzhao, can you assign reviewer for this design. We have updated HLD as per the comments/suggestions during HLD Community review.

ridahanif96 avatar May 01 '24 05:05 ridahanif96

A large number of DHCPv6 messages may also cause the resources of the DHCP Server to be consumed. Whether to consider supporting the rate limit of DHCPv6 messages?

Hi @philo-micas , currently our design supports DHCPv4 only. In the future, we plan on adding support for DHCPv6 rate-limiting.

asraza07 avatar May 13 '24 11:05 asraza07

Hi @yaqiangz @Yarden-Z , We have updated the HLD according to suggestions. Kindly help review it.

asraza07 avatar May 13 '24 14:05 asraza07

@Yarden-Z Hi Yarden, We have updated HLD PR. can you please help review updated HLD and linked code PRs. Thanks in advance.

ridahanif96 avatar May 15 '24 10:05 ridahanif96

@yaqiangz Hi Yaqiang, We have updated HLD PR. can you please help review updated HLD and linked code PRs. Thanks in advance.

ridahanif96 avatar May 15 '24 10:05 ridahanif96

late coming features with multiple code PRs, defer to next release per release triage

zhangyanzhao avatar May 22 '24 16:05 zhangyanzhao

Hi @Yarden-Z @yaqiangz , kindly help review this HLD. Thanks in advance!

asraza07 avatar Jun 14 '24 06:06 asraza07

Hi @Yarden-Z @yaqiangz , kindly help review this HLD. Thanks in advance!

Hi @asraza07, I want to confirm that with COPP existing, this proposal would only take effect in the scenario: [tc rate limit < actual packet rate < COPP rate limit]. And in my understanding, current proposal cannot mitigate ddos attack that [actual packet rate > COPP rate limit], correct? I wonder whether you have plan or insights for this scenario?

yaqiangz avatar Jun 14 '24 09:06 yaqiangz

Hi @Yarden-Z @yaqiangz , kindly help review this HLD. Thanks in advance!

Hi @asraza07, I want to confirm that with COPP existing, this proposal would only take effect in the scenario: [tc rate limit < actual packet rate < COPP rate limit]. And in my understanding, current proposal cannot mitigate ddos attack that [actual packet rate > COPP rate limit], correct? I wonder whether you have plan or insights for this scenario?

Hi @yaqiangz , you are correct, DHCP DoS mitigation is only possible in the scenario where actual packet rate is less than the COPP rate limit. We have designed this feature on the premise that COPP is not intended to mitigate DHCP DoS attacks; it is there to regulate the flow of control plane and ensure control plane stays intact. Our feature is there to mitigate DHCP DoS attacks (only possible via the kernel). Without removing COPP, we can say that DHCP DoS mitigation is only possible when packet rate does not exceed COPP limit, because otherwise COPP starts dropping DHCP packets including legitimate clients.

asraza07 avatar Jun 14 '24 13:06 asraza07