Re: [Dots] Target-Attack-type expansion: more discussion

"MeiLing Chen" <> Mon, 06 May 2019 10:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2170812012D for <>; Mon, 6 May 2019 03:10:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.589
X-Spam-Status: No, score=-2.589 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gW7ZxIT461bI for <>; Mon, 6 May 2019 03:10:42 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id E6F7C12012A for <>; Mon, 6 May 2019 03:10:41 -0700 (PDT)
Received: from (unknown[]) by rmmx-syy-dmz-app05-12005 (RichMail) with SMTP id 2ee55cd00820498-f018f; Mon, 06 May 2019 18:10:40 +0800 (CST)
X-RM-TRANSID: 2ee55cd00820498-f018f
X-RM-TagInfo: emlType=0
X-RM-SPAM-FLAG: 00000000
Received: from cmcc-PC (unknown[]) by rmsmtp-syy-appsvr03-12003 (RichMail) with SMTP id 2ee35cd0081f9ea-51dd0; Mon, 06 May 2019 18:10:40 +0800 (CST)
X-RM-TRANSID: 2ee35cd0081f9ea-51dd0
Date: Mon, 06 May 2019 18:10:40 +0800
From: MeiLing Chen <>
To: Töma Gavrichenkov <>
Cc: dots <>
References: <>, <>, <>, <>
X-Priority: 3
X-Has-Attach: no
X-Mailer: Foxmail[cn]
Mime-Version: 1.0
Message-ID: <>
Content-Type: multipart/alternative; boundary="----=_001_NextPart276387245315_=----"
Archived-At: <>
Subject: Re: [Dots] Target-Attack-type expansion: more discussion
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 06 May 2019 10:10:45 -0000

>On Mon, May 6, 2019, 11:57 AM MeiLing Chen <> wrote:
Not mean the affected layer, but at the exploited protocol layer.

>a) Then the Memcached reflection would be layer 7, as the Memcached ASCII protocol belongs to the application layer;
>b) Honestly, I don't see how the "exploited protocol layer" could be of *any* use for mitigation.
[MeiLing]Actually, It is more inclined to use TCP/IP four-layer protocol. 
use "exploited protocol layer" for attack type classification and unified naming, then use the parameter of attack type for faster mitigation response, that's mean if Reporting sources are credible for attack type, the mitigator can use directly to dispatch the clean devices.

it is still necessary to unify the types of classified attacks.

>Not only it is operationally close to impossible in the foreseeable future,  it it is also really of questionable use.  You would still need a device on your network which would be >responsible for handling "the rest" of DDoS attacks: not falling under any known type, 0-day, etc.
[MeiLing]The attack type here refers to DDoS attacks, Indeed, as you said, we did consider scalability to deal with possible types of attacks in the future.

>IMO the best you could *possibly* achieve is the classification similar to what anti-virus vendors provide ("Win32/Conficker.A"-style, you know), but even then no one tries to >handle different malware with multiple anti-virus installations on the same machine.  This architecture wouldn't really fly.