ThorFI: A Novel Approach for Network Fault Injection as a Service

Related tags

Networking thorfi
Overview

MarineGEO circle logo

ThorFI: a Novel Approach for Network Fault Injection as a Service

This repo includes ThorFI, a novel fault injection solution for virtual networks in cloud computing infrastructures. ThorFI is designed to provide non-intrusive fault injection capabilities for a cloud tenant, and to isolate injections from interfering with other tenants on the infrastructure. Currently, ThorFI supports OpenStack cloud management platform. ThorFI details are reported into the paper "ThorFI: a Novel Approach for Network Fault Injection as a Service" accepted for publication in Elsevier Journal of Network and Computer Applications (JNCA).

Please, cite the following paper if you use the tools for your research:

@article{cotroneo2022thorfi,
  title={ThorFI: a Novel Approach for Network Fault Injection as a Service},
  author={Cotroneo, Domenico and De Simone, Luigi and Natella, Roberto},
  journal={arXiv preprint arXiv:TBD},
  year={2022}
}

Installing ThorFI

To run ThorFI, you need a working OpenStack deployment. To try the tool, we suggest installing OpenStack on a virtual machine, by adopting an all-in-one deployment (all OpenStack services are deployed within the same VM). You can refer to the following tutorial about installing an OpenStack all-in-one deployment on CentOS: https://github.com/dessertlab/OpenStack-Fault-Injection-Environment/blob/7b1dea8afb342d2087cd3e1da555ef0e66b94258/INSTALL.md. On Ubuntu, you can use DevStack (https://docs.openstack.org/devstack/latest/).

Depending on your OpenStack deployment, you need to install the following pre-requisites on the Controller, Compute, and Network nodes (see also https://docs.openstack.org/neutron/latest/admin/deploy.html).

  • On Ubuntu 18.04:
# apt-get install python-pip
# pip2 install -r /path/to/ThorFI/requirements.txt
# pip2 install decorator==4.4.1 pyrsistent==0.14.0 python-keystoneclient python-novaclient python-neutronclient python-glanceclient python-heatclient
  • On CentOS 7:
# yum -y install epel-release
# yum -y install python-pip
# pip2 install -r /path/to/ThorFI/requirements.txt
# pip2 install decorator==4.4.1 pyrsistent==0.14.0 python-keystoneclient python-novaclient python-neutronclient python-glanceclient python-heatclient

ThorFI can be installed by copying the folder on the nodes and executed as Python scripts. It can also be installed as bundled Python package. We provide a Makefile to generate executables for the ThorFI front-end and the ThorFI injector (thorfi_agent_app and injector_agent).

# pip2 install pyinstaller==3.4
# cd ~/path/to/ThorFI
# make 

Running ThorFI

In order to perform network fault injections, launch ThorFI front-end agent on the Controller node, and ThorFI injection agents on all Compute and Network nodes, following your OpenStack deployment.

In the following, we assume that the Controller node is named controller.example, with the OpenStack authentication service running at http://controller.example/identity/v3 . In order to run the ThorFI front-end agent, and to make it listen on a specifc port (e.g., 7777), use the following commands:

//On the Controller node

# iptables -I INPUT -p tcp --dport 7777 -j ACCEPT
# python thorfi_frontend_agent.py -i controller.example -p 7777 -a http://controller.example/identity/v3

On all target Compute and Network nodes, launch the ThorFI injection agents (default port is 11223):

//On the Compute and Network nodes

# iptables -I INPUT -p tcp --dport 11223 -j ACCEPT
# cd /path/to/ThorFI/
# python injector_agent_app/injector_agent.py -i node_ip

Please note that node_ip is the IP address of the Compute or Network host. If you run an all-in-one OpenStack deployment, the node_ip value must be set to 0.0.0.0.

The last (optional) step is to create the ThorFI OpenStack image (you need administrator permissions) in order to run the IPerf or JMeter workload generators. You can skip this step if you don't use the workload generators provided with ThorFI.

# cd /path/to/ThorFI
# openstack image create --disk-format qcow2 --container-format bare --public --file thorfi_image.qcow2 thorfi_image

Injection agents

The ThorFI injection agents need to be run into every Compute and Network node, according to the needs of cloud testers. These agents are REST-based applications that wait for injection requests from the ThorFI front-end agent. The ThorFI front-end agent generates a fault configuration to be sent to injection agents. In particular, the fault configuration includes all the thofi_items and it is built upon the target virtual resource identified by the cloud tester through the get_network_topology REST API invoked by using the ThorFI dashboard or by ThorFI client.

Each thofi_item describes a network interface, and it is characterized by an ID (in OpenStack the port ID), a location (i.e., the physical machine (Compute or Network node) that hosts the OpenStack network port), and a type (e.g., tap devices, veth pairs, Linux bridges, Open vSwitch bridges, and so on). The list of all the thorfi_items constitutes the thorfi_item_map returned from the internal method get_thorfi_item_list_by_id_type() called by the REST API inject_RESOURCE. After that, the REST API inject_RESOURCE invokes the do_injection_thorfi_item method that creates a mapping between the Network/Compute node IP (e.g., this info in the OpenStack implementation is kept into thorfi_item['binding:host_id']) and each target network device described by the thorfi_item, by also adding the information of the network namespace ID (if exists) to which the target network device belong. The structure will look like as in the following:

[
    Network NODE1 IP: {
                [
                    netns_ID1: NIC_ID1,
                    netns_ID2: NIC_ID2
                ]
    }
    Network NODE2 IP: {
                [
                    netns_ID3: NIC_ID4,
                    netns_ID4: NIC_ID5
                ]
    }
    Compute NODE1 IP: {
                [ netns_ID6: NIC_ID ]
    }
]

After that, the do_injection_thorfi_item method iterates over each node IP, to pass the list of target network devices to the proper injection agents listening for injection requests on that IP and a specific TCP port (by default 1234). Inside injection agents, the method inject_nics() is responsible for actually injecting the configured fault on the target NICs. This method uses the ip Linux tool to access (if needed) the proper network namespace linked with the target physical NIC. For example, assuming that the user selected a virtual router as the target for injecting a fault consisting of 100ms of delay. In the OpenStack implementation, a virtual router consists of at least two network interfaces; thus, the do_injection_thorfi_item will send two different requests to injection agents (likely targeting the same hosting Network node) with fault configuration. Besides the fault type, intensity, pattern, and injection timing, the fault target will contain two different NICs within the same network namespace ID. The inject_nics() will run two different injection commands by using both ip and tc user-space tool, as in the following:

ip netns exec qrouter-XXX tc qdisc add dev qg-XXX root netem delay 100ms
ip netns exec qrouter-XXX tc qdisc add dev qr-YYY root netem delay 100ms

Performing fault injections

Assuming both ThorFI front-end and the ThorFI injection agents are running, you can use the ThorFI client (thorfi_client.py) to invoke the ThorFI REST APIs in order to perform fault injections. In the following, we describe all input parameters that can be used:

-i, --thorfi_agent_host

    ThorFI front-end agent host (Controller node) IP (required).

-p, --thorfi_agent_port

    ThorFI front-end agent host (Controller node) port (required).

-a, --auth_url

    This is the authentication URL used for OpenStack authentication. Default is http://localhost:5000/v3.

-pi, --project_id

    The OpenStack project id on which ThorFI front-end agent can retrieve the information about tenants.

-rt, --resource_type

    The target network resource type. In the OpenStack implementation network, subnet, router, floatingip, and port are the supported resource types.

-ri, --resource_id

    The target network resource ID.

-f, --fault_type

    The fault type to be injected. In the current implementation, ThorFI supports delay, loss, corrupt, duplicate, bottleneck fault types.

-fa, --fault_args

    The fault arguments to be specified according to the fault type. 
        - delay: the amount of delay in ms
        - loss: percentage of packet drop;
        - corrupt: the percentage of packet subject to random noise;
        - duplicate: the percentage of packets duplicated before queuing them.
        - bottleneck: the Token Bucket Filter (TBF) rate.

-prtime, --pre_injection_time

-itime, --injection_time

-pitime, --post_injection_time

    The pre-injection, injection, and post-injection time in seconds.

Injection of packet delays

In this example, we inject a delay of 1s on traffic on the network resource with ID 175aa2c7-0f5c-49f6-9c9e-4f4f9c2f589a. We set the duration of the pre-injection, injection, and post-injection phases respectively to use 0s, 5s, and 0s (fault injection is triggered immediately, and lasts for 5 seconds).

# python thorfi_client.py -i controller.example -p 7777 -a http://controller.example/identity/v3 -pi admin -d tenant -rt network -ri 175aa2c7-0f5c-49f6-9c9e-4f4f9c2f589a -f delay -fa 1000ms -prtime 0 -itime 5 -pitime 0

Injection of packet losses

In this example, we inject packet losses on 75% of the traffic flowing through the router resource with ID be88692c-d532-4e49-92eb-a948064d0a23. We use the default configuration for the injection timing (0s, 20s, and 0s, respectively for pre-injection, injection, and post-injection phases).

# python thorfi_client.py -i controller.example -p 7777 -a http://controller.example/identity/v3 -pi admin -d tenant -rt router -ri be88692c-d532-4e49-92eb-a948064d0a23 -f loss -fa '75%'

Injection of packet corruptions

In this example, we inject packet corruptions on 50% of the traffic flowing through the router resource with ID be88692c-d532-4e49-92eb-a948064d0a23. The corruption is a single-bit error at a random offset in the packet. We use the default configuration for the injection timing.

# python thorfi_client.py -i controller.example -p 7777 -a http://controller.example/identity/v3 -pi admin -d tenant -rt router -ri be88692c-d532-4e49-92eb-a948064d0a23 -f corrupt -fa '50%'

ThorFI API documentation

In the following, is reported the documentation of the main ThorFI APIs.

/get_network_topology

Method: POST

Description: This API retrieves information about virtual network resources that are potential targets for injections, including their topology and IDs. The virtual resources will be posted to dashboard that renders the obtained topology.

Error response messagge: 403, 501

Raises: No exceptions.

/start_tests

Method: POST

Description: Reads from ThorFI database the list of tests to execute for the specific user and checks for each test if it is in a 'completed' state; if not it executes the test by calling 'inject_RESOURCE' function according to the fault configuration

POST parameters:

  • pre_injection_time
  • injection_time
  • post_injection_time

The pre-injection, injection, and post-injection time in seconds.

  • campaign_name: Name of fault injection campaign to start

/stop_tests

Method: POST

Description: Tries to stop the current fault injection campaign.

POST parameters:

  • campaign_name: Name of fault injection campaign to stop

Error response messagge: 404, 501

/status_tests

Method: POST

Description: Gets current status of running fault injection campaign.

POST parameters:

  • campaign_name: Name of fault injection campaign to start

Error response messagge: 404

/inject_RESOURCE API class

The inject_RESOURCE APIs are used to request injection actions towards injection agents. Each API in this class is a POST with the following parameters:

  • thorfi_item_id
  • fault_pattern
  • fault_pattern_args
  • fault_target_traffic
  • fault_target_protocol
  • fault_target_dst_ports
  • fault_target_src_ports
  • fault_type
  • fault_args
  • pre_injection_time
  • injection_time
  • post_injection_time

The details about each parameter is specified in the section "Performing fault injections. In the following, the details about the APIs in this class.

/inject_network

Method: POST

Description: API for injecting faults into resource 'network' of neutron We perform injection for each port linked to the given network name.

Error response messagge: ERROR

Raises: ThorFINetworkNotFoundException, if a network resource is not found.

/inject_floatingip

Method: POST

Description: API for injecting faults into resource 'floatingip' of neutron. ThorFI performs injection for each port linked to the given network name.

Error response messagge: ERROR

Raises: ThorFIFloatingIPException, if a floatingip resource is not found.

/inject_subnet

Method: POST

Description: API for injecting faults into resource 'subnet' of neutron. ThorFI performs injection for each port linked to the linked 'network' resource for the 'subnet' name.

Error response messagge: ERROR

Raises: ThorFISubnetNotFoundException, if a network resource is not found.

/inject_router

Method: POST

Description: REST API for injecting faults into resource 'router' of neutron. ThorFI perform injection for each port linked to the given router name.

Error response messagge: ERROR

Raises: ThorFIRouterNotFoundException, if a router resource is not found.

/inject_port

Method: POST

Description: REST API for injecting faults into resource 'port' of neutron. ThorFI perform injection for the port specified in 'thorfi_item_id'.

Error response messagge: ERROR

Raises: ThorFIPortNotFoundException, if a port resource is not found.

You might also like...
Nautobot is a Network Source of Truth and Network Automation Platform.
Nautobot is a Network Source of Truth and Network Automation Platform.

Nautobot is a Network Source of Truth and Network Automation Platform. Nautobot was initially developed as a fork of NetBox (v2.10.4). Nautobot runs as a web application atop the Django Python framework with a PostgreSQL database.

This Tool can help enginners and biggener in network, the tool help you to find of any ip with subnet mask that can calucate them and show you ( Availble IP's , Subnet Mask, Network-ID, Broadcast-ID )
This Tool can help enginners and biggener in network, the tool help you to find of any ip with subnet mask that can calucate them and show you ( Availble IP's , Subnet Mask, Network-ID, Broadcast-ID )

This Tool can help enginners and biggener in network, the tool help you to find of any ip with subnet mask that can calucate them and show you ( Availble IP's , Subnet Mask, Network-ID, Broadcast-ID )

nettrace is a powerful tool to trace network packet and diagnose network problem inside kernel.

nettrace nettrace is is a powerful tool to trace network packet and diagnose network problem inside kernel on TencentOS. It make use of eBPF and BCC.

PcapXray - A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram
PcapXray - A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram

PcapXray - A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction

ANalyse is a vehicle network analysis and attack tool.
ANalyse is a vehicle network analysis and attack tool.

CANalyse is a tool built to analyze the log files to find out unique datasets automatically and able to connect to simple user interfaces suc

Flashes keyboard leds on incoming/outgoing network packets
Flashes keyboard leds on incoming/outgoing network packets

LED Net Capture Flashes keyboard leds on incoming/outgoing network packets Usage Requires root priviledges to run usage: ledcapture.py [-h] --keyboard

GNS3 Graphical Network Simulator

GNS3-gui GNS3 GUI repository.

Share clipboards between two devices in a network

Shared Clipboard I felt the need for sharing clipboard texts between virtual machines but I didn't find any reliable solutions for this (I use HyperV)

A Network tool kit for scanning active IP addresses and open ports
A Network tool kit for scanning active IP addresses and open ports

Network scanner A small project that I wrote on the fly for (IT351) Computer Networks University Course to identify and label the devices in my networ

Comments
  • Which version of Neutron can be injected and how to install it?

    Which version of Neutron can be injected and how to install it?

    Hello, thanks for your great work!

    I noted that ThorFI works on the network namespace created by Neutron, using commands like ip netns exec qrouter-XXX. But as far as I know, Neutron uses OVN now instead of creating namespaces by itself. So I can't use ThorFI in devstack of the latest version on ubuntu.

    Could you please tell me which version of Neutron can be injected and how to install it? Thanks!

    opened by THUzxj 0
Owner
DESSERT research lab (Federico II University of Naples, Italy)
DESSERT research lab (Federico II University of Naples, Italy)
Public HTTPS access to Home Assistant with Dataplicity service

Custom component for public HTTPS access to Home Assistant with Dataplicity service. Should work on any Linux PC or ARM, not only Raspberry as Dataplicity service said. Don't work on Windows.

Alex X 70 Oct 3, 2022
Bark Toolkit is a toolkit wich provides Denial-of-service attacks, SMS attacks and more.

Bark Toolkit About Bark Toolkit Bark Toolkit is a set of tools that provides denial of service attacks. Bark Toolkit includes SMS attack tool, HTTP

null 13 Jan 4, 2023
Client library for relay - a service for relaying server side messages to the client side browsers via websockets.

Client library for relay - a service for relaying server side messages to the client side browsers via websockets.

getme 1 Nov 10, 2021
Web service load balancing simulation experiment.

Web service load balancing simulation experiment.

NicestZK 1 Nov 12, 2021
Modern Denial-of-service ToolKit for python

?? Impulse Modern Denial-of-service ToolKit ?? Main window ?? Methods: Method Target Description SMS PHONE Sends a massive amount of SMS messages and

null 1 Nov 29, 2021
A pure python implementation of multicast DNS service discovery

python-zeroconf Documentation. This is fork of pyzeroconf, Multicast DNS Service Discovery for Python, originally by Paul Scott-Murphy (https://github

Jakub Stasiak 483 Dec 29, 2022
Very simple and tiny file sharing service written in python

Simple File sharing tool Sharing client usage (You will need to use python3 for linux) main.py --send -f file/path Optionnal flags : pwd : set a passw

null 2 Jul 26, 2022
A great python/java dynamic DNS service for NameSilo, with log, email reminder...

English NameSilo DDNS is a DDNS service for NameSilo domain names for home broadband , it can automatically detect IP changes in home broadband

云牧青 77 Dec 28, 2022
Slowloris is basically an HTTP Denial of Service attack that affects threaded servers.

slowrise-ddos-tool What is Slowloris? Slowloris is basically an HTTP Denial of S

DEMON cat 4 Jun 19, 2022
JF⚡can - Super fast port scanning & service discovery using Masscan and Nmap. Scan large networks with Masscan and use Nmap's scripting abilities to discover information about services. Generate report.

Description Killing features Perform a large-scale scans using Nmap! Allows you to use Masscan to scan targets and execute Nmap on detected ports with

null 377 Jan 3, 2023