Arista Traffic Shunting

Logan_Miller · July 31, 2017, 4:40pm

Hello everyone,

We have a bro cluster setup and running but we are getting a lot of packet loss from elephant flows. We’ve seen that a lot of people use an Arista switch to block these flows but we haven’t seen how to interface with Arista from bro. How do people do traffic shunting using Arista?

These are the sources where we’ve seen people shunting traffic with Arista:

http://www.cspi.com/wp-content/uploads/2016/09/Berkeley-100GIntrusionDetection.pdf

http://mailman.icsi.berkeley.edu/pipermail/bro/2015-January/008038.html

http://www.ucop.edu/information-technology-services/initiatives/sautter-award-program/sautter-2015/berkeley_lab-sautterawardnomination2015.pdf

Thanks,

Logan Miller

Network Security Engineer

Brigham Young University

Office of IT

James_Dickenson · July 31, 2017, 5:13pm

I would also be interested to see what an implementation of this looks
like. From my very very limited understanding is they are using the
Arista's RESTful API. In the Berkley document the have the arista
switch configs and it includes '
management api httpcommands'. Unsure how on the bro end they are
determining which flows to terminate and what logic controls that.

https://eos.arista.com/arista-eapi-101/

-James

Aashish_Sharma1 · July 31, 2017, 5:20pm

(While Justin and others chime in)

We are relying on :

https://github.com/esnet/dumbno (this one has IPv6 support) Originally
we started with Justin's branch here: https://github.com/ncsa/dumbno

On bro side there is a conn-bulk.bro and react framework

Here: https://github.com/JustinAzoff/bro-react

This ties bro with dumbno.py which talks with arista to apply and remove
ACLs.

If you need specific arista configurations, I can send you our arista configs
too.

Aashish

James_Eyrich · July 31, 2017, 5:21pm

https://github.com/ncsa/dumbno

Azoff_Justin_S · July 31, 2017, 5:35pm

Oh, I merged in the ipv6 support over a year ago, so you should probably be running the upstream version.

Logan_Miller · July 31, 2017, 5:54pm

Aashish,

I saw those github scripts and I wasn't sure where to put them in the bro directory and what bro configs had to be changed to make it them work. Where did you put the scripts? Also, as long as api management is enabled on the Arista switch, is there anything else on the switch that needs to be configured?

- Logan Miller

Aashish_Sharma1 · July 31, 2017, 7:40pm

Here is how I have stuff setup:

1) in your site.bro:

@load conn-bulk.bro
@load react

redef GridFTP::size_threshold = 1048576; # 2 MB
redef Bulk::size_threshold = 134217728 ; # 128 MB

2) make sure react/dumbno.cfg has right values

3) then:

a) ./dumbno.py dumbno.cfg setup

  b) ./dumbno.py dumbno.cfg >& /var/log/dumbno.log &

  c) ./dumbno.py dumbno.cfg stats >& /var/log/dumbno.stats &

4) @load conn-bulk.bro and "@load react" should get bro to start
flagging and acting on fat flows.

tail on /var/log/dumbno.log should give you reasonable visibility into
on-going operations

Hope this helps,
Aashish

Topic		Replies	Views
Bro Traffic analysis flow shunting questions Zeek	3	89	May 6, 2022
Checking symmetric traffic using bro Zeek	5	84	May 6, 2022
Network taps necessary for Bro Zeek	2	153	May 6, 2022
Flow blocking with iptables from Bro Zeek	5	185	May 6, 2022
arista & cpacket experience Zeek	6	71	May 6, 2022

Arista Traffic Shunting

Related Topics