Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-telemetry-00.txt

[H Y <yuuhei.hayashi@gmail.com>]

Hi Tiru

> What is stopping the attacker to frequently change the IP address (especially with IPv6) ?
> What kind of attack traffic is generated by the top talkers and what happens if the top talkers are spoofed IP addresses (e.g. amplification attack) ?
IMO, when a reflection attack hits a target, src_ip address detected
at the target are reflectors ip address.
If the reflector's ip does not change frequently, the top talker
information can be used.
Is it wrong?

Thanks,
Yuhei

2019年7月24日(水) 9:37 Konda, Tirumaleswar Reddy
<TirumaleswarReddy_Konda@mcafee.com>:
>
> Hi Yuhei,
>
> What is stopping the attacker to frequently change the IP address (especially with IPv6) ?
> What kind of attack traffic is generated by the top talkers and what happens if the top talkers are spoofed IP addresses (e.g. amplification attack) ?
>
> Cheers,
> -Tiru
>
> > -----Original Message-----
> > From: H Y <yuuhei.hayashi@gmail.com>
> > Sent: Wednesday, July 24, 2019 6:57 PM
> > To: Mohamed Boucadair <mohamed.boucadair@orange.com>
> > Cc: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>;
> > tirumal reddy <kondtir@gmail.com>; dots@ietf.org
> > Subject: Re: [Dots] Fwd: New Version Notification for draft-reddy-dots-
> > telemetry-00.txt
> >
> >
> >
> > Hi Med,
> >
> > > [Med] Yes. My point is if one has to return a list of top-talkers in terms of
> > pps, another list of top-talkers in terms of second_criteria, or other
> > information relying on source-prefix dedicated attributes will be needed
> > because this cannot be inferred from the current source-prefix attribute.
> > [hayashi] +1. This top-talker information is helpful for the orchestrator to
> > decide which attack traffic should be blocked preferentially in network. The
> > criteria information is also needed.
> >
> > Thanks,
> > Yuhei
> >
> > 2019年7月24日(水) 8:56 <mohamed.boucadair@orange.com>:
> > >
> > > Re-,
> > >
> > > Please see inline.
> > >
> > > Cheers,
> > > Med
> > >
> > > > -----Message d'origine-----
> > > > De : Konda, Tirumaleswar Reddy
> > > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > > Envoyé : mercredi 24 juillet 2019 14:45 À : BOUCADAIR Mohamed
> > > > TGI/OLN; H Y; tirumal reddy Cc : dots@ietf.org Objet : RE: [Dots]
> > > > Fwd: New Version Notification for draft-reddy-dots- telemetry-00.txt
> > > >
> > > > > -----Original Message-----
> > > > > From: mohamed.boucadair@orange.com
> > <mohamed.boucadair@orange.com>
> > > > > Sent: Wednesday, July 24, 2019 6:02 PM
> > > > > To: Konda, Tirumaleswar Reddy
> > > > > <TirumaleswarReddy_Konda@McAfee.com>; H Y
> > > > > <yuuhei.hayashi@gmail.com>; tirumal reddy <kondtir@gmail.com>
> > > > > Cc: dots@ietf.org
> > > > > Subject: RE: [Dots] Fwd: New Version Notification for
> > > > > draft-reddy-dots- telemetry-00.txt
> > > > >
> > > > > This email originated from outside of the organization. Do not
> > > > > click
> > > > links or
> > > > > open attachments unless you recognize the sender and know the
> > > > > content is safe.
> > > > >
> > > > > Hi Tiru,
> > > > >
> > > > > That’s true...but fragmentation is a general issue each time we
> > > > > need to supply more telemetry information in the signal channel.
> > > > > As already
> > > > noted in
> > > > > the draft, we will need to figure out when it is better to provide
> > > > > some telemetry information using data channel.
> > > >
> > > > Yes, normal traffic baseline attributes can be conveyed in the DOTS
> > > > data channel and traffic from top talkers can also be
> > > > blocked/rate-limited using the DOTS data channel during peace time.
> > > >
> > > > >
> > > > > BTW, "top talker" can already be supplied using source-prefix attribute.
> > > > > Whether top-talker needs to be defined as a separated attribute,
> > > > > but structured as a list of source-prefixes is a design details
> > > > > (if the WG
> > > > agrees to
> > > > > include it in the telemetry information).
> > > >
> > > > Source-prefix is already a list/array.
> > >
> > > [Med] Yes. My point is if one has to return a list of top-talkers in terms of
> > pps, another list of top-talkers in terms of second_criteria, or other
> > information relying on source-prefix dedicated attributes will be needed
> > because this cannot be inferred from the current source-prefix attribute.
> > >
> > > >
> > > > >
> > > > > Anyway, let's continue collecting candidate telemetry information
> > > > > and
> > > > then
> > > > > make a selection in a second phase.
> > > >
> > > > Sure.
> > > >
> > > > Cheers,
> > > > -Tiru
> > > >
> > > > >
> > > > > Cheers,
> > > > > Med
> > > > >
> > > > > > -----Message d'origine-----
> > > > > > De : Dots [mailto:dots-bounces@ietf.org] De la part de Konda,
> > > > > > Tirumaleswar Reddy Envoyé : mercredi 24 juillet 2019 14:18 À : H
> > > > > > Y; tirumal reddy Cc : dots@ietf.org Objet : Re: [Dots] Fwd: New
> > > > > > Version Notification for draft-reddy-dots- telemetry-00.txt
> > > > > >
> > > > > > Hi Yuhei,
> > > > > >
> > > > > > Thanks for the support. The problem is fragmentation of the DOTS
> > > > > > telemetry message, DOTS Telemetry is sent over the DOTS signal
> > > > > > channel using UDP and the message size cannot exceed PMTU.
> > > > > >
> > > > > > Cheers,
> > > > > > -Tiru
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Dots <dots-bounces@ietf.org> On Behalf Of H Y
> > > > > > > Sent: Tuesday, July 23, 2019 5:28 PM
> > > > > > > To: tirumal reddy <kondtir@gmail.com>
> > > > > > > Cc: dots@ietf.org
> > > > > > > Subject: Re: [Dots] Fwd: New Version Notification for
> > > > > > > draft-reddy-dots- telemetry-00.txt
> > > > > > >
> > > > > > > This email originated from outside of the organization. Do not
> > > > > > > click
> > > > > > links or
> > > > > > > open attachments unless you recognize the sender and know the
> > > > > > > content is safe.
> > > > > > >
> > > > > > > Hi Tiru,
> > > > > > >
> > > > > > > I read the draft and I also support this draft.
> > > > > > > Sending detail information about attack traffic helps my dms
> > > > > > > offload
> > > > > > scenario
> > > > > > > because the orchestrator can decide what to do based on the
> > > > > > > detail information.
> > > > > > >
> > > > > > > IMO, "top talker" attribute defined in my previous draft is
> > > > > > > also
> > > > > > feasible to
> > > > > > > send and effective to mitigate attack correctly.
> > > > > > > https://datatracker.ietf.org/doc/draft-h-dots-mitigation-offlo
> > > > > > > ad-
> > > > > > expansion/
> > > > > > > What do you think about including the top talker attribute to
> > > > > > > the
> > > > > > telemetry?
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Yuhei
> > > > > > >
> > > > > > > 2019年7月5日(金) 9:21 tirumal reddy <kondtir@gmail.com>:
> > > > > > > >
> > > > > > > > Hi all,
> > > > > > > >
> > > > > > > > https://tools.ietf.org/html/draft-reddy-dots-telemetry-00
> > > > > > > > aims to
> > > > > > enrich
> > > > > > > DOTS protocols with various telemetry attributes allowing
> > > > > > > optimal DDoS attack mitigation. This document specifies the
> > > > > > > normal traffic baseline
> > > > > > and
> > > > > > > attack traffic telemetry attributes a DOTS client can convey
> > > > > > > to its DOTS
> > > > > > server
> > > > > > > in the mitigation request, the mitigation status telemetry
> > > > > > > attributes a
> > > > > > DOTS
> > > > > > > server can communicate to a DOTS client, and the mitigation
> > > > > > > efficacy telemetry attributes a DOTS client can communicate to a
> > DOTS server.
> > > > > > The
> > > > > > > telemetry attributes can assist the mitigator to choose the
> > > > > > > DDoS
> > > > > > mitigation
> > > > > > > techniques and perform optimal DDoS attack mitigation.
> > > > > > > >
> > > > > > > > Comments, suggestions, and questions are more than welcome.
> > > > > > > >
> > > > > > > > Cheers,
> > > > > > > > -Tiru
> > > > > > > >
> > > > > > > > ---------- Forwarded message ---------
> > > > > > > > From: <internet-drafts@ietf.org>
> > > > > > > > Date: Fri, 5 Jul 2019 at 18:44
> > > > > > > > Subject: New Version Notification for
> > > > > > > > draft-reddy-dots-telemetry-00.txt
> > > > > > > > To: Tirumaleswar Reddy <kondtir@gmail.com>, Ehud Doron
> > > > > > > > <ehudd@radware.com>, Mohamed Boucadair
> > > > > > > <mohamed.boucadair@orange.com>
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > A new version of I-D, draft-reddy-dots-telemetry-00.txt has
> > > > > > > > been successfully submitted by Tirumaleswar Reddy and posted
> > > > > > > > to the IETF repository.
> > > > > > > >
> > > > > > > > Name:           draft-reddy-dots-telemetry
> > > > > > > > Revision:       00
> > > > > > > > Title:          Distributed Denial-of-Service Open Threat
> > > > Signaling
> > > > > > (DOTS)
> > > > > > > Telemetry
> > > > > > > > Document date:  2019-07-05
> > > > > > > > Group:          Individual Submission
> > > > > > > > Pages:          13
> > > > > > > > URL:            https://www.ietf.org/internet-drafts/draft-reddy-
> > > > dots-
> > > > > > > telemetry-00.txt
> > > > > > > > Status:         https://datatracker.ietf.org/doc/draft-reddy-dots-
> > > > > > telemetry/
> > > > > > > > Htmlized:       https://tools.ietf.org/html/draft-reddy-dots-
> > > > > > telemetry-00
> > > > > > > > Htmlized:       https://datatracker.ietf.org/doc/html/draft-reddy-
> > > > > > dots-
> > > > > > > telemetry
> > > > > > > >
> > > > > > > >
> > > > > > > > Abstract:
> > > > > > > >    This document aims to enrich DOTS signal channel protocol with
> > > > > > > >    various telemetry attributes allowing optimal DDoS attack
> > > > > > mitigation.
> > > > > > > >    This document specifies the normal traffic baseline and attack
> > > > > > > >    traffic telemetry attributes a DOTS client can convey to
> > > > > > > > its
> > > > DOTS
> > > > > > > >    server in the mitigation request, the mitigation status
> > > > telemetry
> > > > > > > >    attributes a DOTS server can communicate to a DOTS
> > > > > > > > client, and
> > > > the
> > > > > > > >    mitigation efficacy telemetry attributes a DOTS client can
> > > > > > > >    communicate to a DOTS server.  The telemetry attributes
> > > > > > > > can
> > > > assist
> > > > > > > >    the mitigator to choose the DDoS mitigation techniques
> > > > > > > > and
> > > > perform
> > > > > > > >    optimal DDoS attack mitigation.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Please note that it may take a couple of minutes from the
> > > > > > > > time of submission until the htmlized version and diff are
> > > > > > > > available at
> > > > > > tools.ietf.org.
> > > > > > > >
> > > > > > > > The IETF Secretariat
> > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > Dots mailing list
> > > > > > > > Dots@ietf.org
> > > > > > > > https://www.ietf.org/mailman/listinfo/dots
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > ----------------------------------
> > > > > > > Yuuhei HAYASHI
> > > > > > > 08065300884
> > > > > > > yuuhei.hayashi@gmail.com
> > > > > > > iehuuy_0220@docomo.ne.jp
> > > > > > > ----------------------------------
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Dots mailing list
> > > > > > > Dots@ietf.org
> > > > > > > https://www.ietf.org/mailman/listinfo/dots
> > > > > > _______________________________________________
> > > > > > Dots mailing list
> > > > > > Dots@ietf.org
> > > > > > https://www.ietf.org/mailman/listinfo/dots
> >
> >
> >
> > --
> > ----------------------------------
> > Yuuhei HAYASHI
> > 08065300884
> > yuuhei.hayashi@gmail.com
> > iehuuy_0220@docomo.ne.jp
> > ----------------------------------



-- 
----------------------------------
Yuuhei HAYASHI
08065300884
yuuhei.hayashi@gmail.com
iehuuy_0220@docomo.ne.jp
----------------------------------