Hello community , I will ask you a newbie question about Bro and PF_RING
I am working in Bro Cluster topology, as it can be seen in the figure attached or in http://www.freeimagehosting.net/newuploads/oevq9.png, all are XEN virtual machines working with the PF_Ring.
My intention is to make a load balancing. I am doing a UDP Flood attack from several machines in the 123.123.X.X network to one victim in the 192.168.1.X network. As you can imagine, I need to deviate the traffic to a Bro cluster to analyze it.
As it can be seen in the figure, I put a worker sniffing the eth4 interface from the TAP (worker-5 is in the TAP VM). So here is my doubt. Should Bro, through the PF_RING lib, automatically load balancing the traffic to all workers? or there is a mistake in my topology? As it is working now, I am just receiving all flow in the worker-5 and there is no balancing.
Thanks for your help.
Below are the commands showing that Bro+PF_ring are working:
This is definitely not right. You aren't defining how many processes you want to spread the traffic across (with lb_procs) and you have your other workers sniffing eth2 on their respective installations. PF_Ring spreads the traffic on a single host, but you're running 4 separate hosts (ignoring the fact that they're VMs. Couple of questions…
- Why VMs?
- Why aren't you just allocating more CPU cores to worker-5 and using pf_ring to balance the traffic across those cores?
If you allocated more CPU cores to worker-5, your config would look like this…
[worker-5]
type=worker
host=192.168.0.100
interface=eth4
lb_method=pf_ring
lb_procs=4
.Seth
Hi Seth, thanks for your answer,
- Why VMs?
We are using VM, because we are working in the Application layer of the cloud, we allocate VM dynamically. The Idea was to allocate VMs (Host) on the fly, doing load balancing between these hosts.
PF_Ring spreads the traffic on a single host.
According to you, PF_RING only spread network traffic inside the host between the CPU cores. Is it right this phrase? The cluster made by Bro should be just Inside a host?
To make the load balancing between several hosts, like I am trying to do, I should use OpenFlow or another solution? Any suggestions?
Thank you.
You have to figure something out. Unfortunately I have no suggestions.
.Seth
