November 14, 2011

DHCP traffic statistics datasheet exposed by DHCPv4 Filtering STREAMS Module via KSTAT infrastructure

          Overview
This software is a STREAMS module that subjects BOOTP packets arriving on its read queue according to special filtering algorithm and passes only those packets that the filter accepts on to its upstream consumer – DHCP server process. In such a way the majority of DOS/DDOS attacks and flood don't influence the resources of DHCP server software which lies in user space.
The ORACLE Solaris Operating Environment (OE) kernel provides a set of functions and data structures - named KSTAT - for device drivers and other kernel modules to export module-specific statistics to the outside world. Current software version of DHCPv4 filter supports KSTAT for extracting its statistics about the processed DHCP traffic.

KSTAT instance behavior
DHCPv4 filter software can provide filtering services to many concurrent DHCP server process. Each of them has a separate inbound entry accessible via kstat utility (class net, module dhcpmod).When the instance is unloaded, the entry still remains in the system making the statistical data available for further analysis. Instance state is denoted by field state which can be 0 if filter instance is uninitialized, 1 – if it is running, 2 – if it is stopped, 3 – if it is failed to start.

Statistic counters
Module dhcpmod maintains and reports the following statistics. All statistics are maintained as unsigned. The statistics are 64 bits unless otherwise noted.
buffer errors
Shows how many errors while packet processing took place. Should be always 0.
cache buckets
Shows how many buckets allocated for HASH tables. Large values indicates traffic bursts.
cache errors
Shows how many errors/miss-consistences allocated for HASH tables. Should be always 0.
cache expired
Denotes cache expiration events.
cache hits
Denotes cache hits events. Should be more then cache misses in factor of 10 at least. May be less for the first ten minutes since instance startup.
cache misses
Denotes cache misses (not found) events.
cache records
Shows actual HASH usage. Large values indicates large traffic bursts.
discarded packets
Denotes discard events since instance startup.
discarded packets per sec
Denotes actual discard events rate. The filter effectiveness depends on that value.
discarded rate limit packets
Denotes actual discard events rate limited. Continuously high values means flood presence.
failure packets
Shows how many packet failed to be processed by traffic filter and were passed in to upstream neighbor. Should be always 0.
fragmented IP packets
Number of fragmented IPv4 packets. Such traffic is discarded silently.
input packets
Number of packets received from NIC.
input packets per sec
Rate of packets received from NIC.
invalid BOOTP packets
Number of BOOTP packets that violates RFC 2132. Such traffic is discarded silently.
invalid IP packets
Number of broken IPv4 packets. Such traffic is discarded silently.
invalid UDP packets
Number of broken UDP packets or its check sums. Such traffic is discarded silently.
malformed packets
Total number of the packets that cannot be processed normal due to its corruption or standard non-conformance. Such traffic is discarded silently.
no memory errors
For internal use. Signals not enough memory in system. Should be always 0.
non-def BOOTP cookie packets
Number of broken BOOTP magic cookie packets. Such traffic is discarded silently.
non-def BOOTP type packets
Number of broken BOOTP hardware type packets. Such traffic is discarded silently.
non-def dest port packets
Number of invalid destination packets. Such traffic is discarded silently.
non-def src port packets
Number of invalid source packets. Such traffic is discarded silently.
non-support media type packets
Number of non-IEEE ETHERNET packets. Such traffic is discarded silently.
non-support msg type packets
Number of invalid DHCP message type packets. Such traffic is discarded silently.
overrun packets
Number of oversized packets. Such traffic is discarded silently.
packets without DHCP Option 82
Number of packets which don't include RFC 3046 DHCP Option 82. Such traffic is handled according to custom policies.
passed packets
Denotes successful filter passed through unaltered events since instance startup.
passed packets per sec
Denotes rate of successful filter pass-through events.
underrun packets
Number of oversized packets. Such traffic is discarded silently.

Real-world example of accessing traffic statistics
You can use the command-line tool /usr/bin/kstat interactively to print all or selected KSTAT information about DHCP traffic from the system.


$ kstat -c net -m dhcpmod
module: dhcpmod instance: 1
name: inbound class: net
buffer errors 0
cache buckets 16384
cache errors 0
cache expired 1978313
cache hits 7263887
cache misses 2012974
cache records 8381
crtime 522.985408215
discarded packets 3230542
discarded packets per sec 67
discarded rate limit packets 3229064
failure packets 861
fragmented IP packets 0
input packets 27526307
input packets per sec 268
invalid BOOTP packets 0
invalid IP packets 4
invalid UDP packets 0
malformed packets 617
no memory errors 0
non-def BOOTP cookie packets 2
non-def BOOTP type packets 0
non-def dest port packets 0
non-def src port packets 861
non-support media type packets 5
non-support msg type packets 606
overrun packets 0
packets without DHCP Option 82 323744
passed packets 6048319
passed packets per sec 44
snaptime 160039.377522581
state 1
underrun packets 0
module: dhcpmod instance: 2
name: inbound class: net
buffer errors 0
cache buckets 4
cache errors 0
cache expired 490
cache hits 155
cache misses 499
cache records 2
crtime 522.986099883
discarded packets 0
discarded packets per sec 0
discarded rate limit packets 0
failure packets 0
fragmented IP packets 0
input packets 658
input packets per sec 0
invalid BOOTP packets 0
invalid IP packets 0
invalid UDP packets 0
malformed packets 0
no memory errors 0
non-def BOOTP cookie packets 0
non-def BOOTP type packets 0
non-def dest port packets 0
non-def src port packets 0
non-support media type packets 0
non-support msg type packets 0
overrun packets 0
packets without DHCP Option 82 0
passed packets 658
passed packets per sec 0
snaptime 160039.379437423
state 1
underrun packets 0


For viewing one instance separately use -i key followed by instance ID.

$ kstat -c net -m dhcpmod -i 1


No comments:

Post a Comment