IETF Logo Mail Archive

Re: [Dots] WGLC for draft-dots-use-cases-19

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Tue, 06 August 2019 12:52 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0323F120189 for <dots@ietfa.amsl.com>; Tue, 6 Aug 2019 05:52:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vfvz-tpAL4Rj for <dots@ietfa.amsl.com>; Tue, 6 Aug 2019 05:52:45 -0700 (PDT)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [216.205.24.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1671F120170 for <dots@ietf.org>; Tue, 6 Aug 2019 05:52:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1565095963; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=cdh8W2cFFgZQBHoyu9NbwOxq5j/dzkmHrGWCbunJtjU=; b=hwbS0/Douc6358DdNnP0EOieI8DeiA+PkKHI3YpQ2/GO1FsUhJ7WmhFgc+7B/EynuvdC5q xcYZF6PvQqXH+v7vssCNt3ND/+12b76Jpkbw5QTHmAmx24skGPAUgxii+8vuffEl2LcQ/Y 15FDOLc86Xlp9F3XqJCcNo81EXuICvQ=
Received: from MIVWSMAILOUT1.mcafee.com (mivwsmailout1.mcafee.com [161.69.47.167]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-49-GVT-iGSXPsaukUJR0V0VFg-1; Tue, 06 Aug 2019 08:52:41 -0400
Received: from DNVEXAPP1N04.corpzone.internalzone.com (DNVEXAPP1N04.corpzone.internalzone.com [10.44.48.88]) by MIVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 6985_8c88_a0d06add_c14d_4ce2_a8bd_88cabcfb60c0; Tue, 06 Aug 2019 08:53:22 -0400
Received: from DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) by DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 6 Aug 2019 06:52:35 -0600
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Tue, 6 Aug 2019 06:52:36 -0600
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (10.44.176.240) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 6 Aug 2019 06:52:33 -0600
Received: from DM5PR16MB1705.namprd16.prod.outlook.com (10.172.44.147) by DM5PR16MB2359.namprd16.prod.outlook.com (52.132.142.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.17; Tue, 6 Aug 2019 12:52:34 +0000
Received: from DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::532:f001:84e1:55ba]) by DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::532:f001:84e1:55ba%10]) with mapi id 15.20.2136.018; Tue, 6 Aug 2019 12:52:34 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Töma Gavrichenkov <ximaera@gmail.com>
CC: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, Valery Smyslov <valery@smyslov.net>, "dots@ietf.org" <dots@ietf.org>, "Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com>
Thread-Topic: [Dots] WGLC for draft-dots-use-cases-19
Thread-Index: AdVMHvzhmt/V33ByRr+d368GCi1ExgABDh/gAAA/2oAAAmsFAAAApBygAAFk76AAAGXy8AAALP6QAAB9ubAAA9IiYAACQKKAAAA+AFA=
Date: Tue, 06 Aug 2019 12:52:34 +0000
Message-ID: <DM5PR16MB1705E536C86621FAFB2DDC71EAD50@DM5PR16MB1705.namprd16.prod.outlook.com>
References: <00b001d54c1f$d57799e0$8066cda0$@smyslov.net> <DM5PR16MB17050571BAD70FACA597FA6CEAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDB17@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB170555606E26709FC5C54AA4EAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDBC8@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB17050DF869BABA8B3670DC85EAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDC3B@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB1705E573DE3E7482115B9FE0EAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDC6C@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB170551C20908654A0F6428D7EAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <CALZ3u+apnoCr9d0p_8ONCidyweMFRrdZO3tD-SdE=+-KeHV9QQ@mail.gmail.com>
In-Reply-To: <CALZ3u+apnoCr9d0p_8ONCidyweMFRrdZO3tD-SdE=+-KeHV9QQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.3.0.17
dlp-reaction: no-action
x-originating-ip: [49.37.202.60]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c623816d-7c50-4e0b-5883-08d71a6cf3cd
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600148)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:DM5PR16MB2359;
x-ms-traffictypediagnostic: DM5PR16MB2359:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <DM5PR16MB2359583EB69CDCB3A32E0961EAD50@DM5PR16MB2359.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0121F24F22
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(136003)(39860400002)(376002)(366004)(346002)(32952001)(199004)(189003)(8936002)(26005)(33656002)(229853002)(186003)(478600001)(99286004)(7736002)(476003)(11346002)(446003)(486006)(74316002)(66066001)(102836004)(7696005)(66574012)(2906002)(236005)(81156014)(81166006)(14454004)(53936002)(9686003)(6436002)(55016002)(6306002)(76116006)(316002)(66476007)(66556008)(64756008)(66446008)(53546011)(54896002)(52536014)(80792005)(25786009)(5660300002)(76176011)(54906003)(66946007)(71190400001)(3846002)(86362001)(6116002)(256004)(14444005)(5024004)(1411001)(68736007)(71200400001)(6506007)(6916009)(790700001)(6246003)(8676002)(4326008)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR16MB2359; H:DM5PR16MB1705.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: lBKv2kzheFV+KGrjJjKi+PTAXxtS8MVAcRy0+UfbWZRAPkdQSML7YxQL7h92gYiygNI5nUf1GebGV8Ul2f2v/ByDL4IKATcoZ0XfaczSwKlq6WF709b1IOIgiH3QHNNLFZz8SeJJ5PC6u4dix+TNJMFaaOzSp/AjAXUAjbaXot57JwDibbBe9d63fUPJTm35z9Hz74iMsrWn0a8oX20U9nOIGG3uZVqlLbtFgFKJ1F2/BRaGs9sQFoF2vIbT3GYh61n4HUcMjfnCeTUplkZ4CqMRQkMBhO7dkWWotb8ryfIAiKCT4uVfDP2uuP4KZNcyMkOLmwEOhBYEizEMtARFEdEt2TDWKjul7Mvwq+jQlygLM1D6BGogp/Ct5+tW+Et///k3wjJybYtg+4Tr95HCf+hUd8YV90S2GHFm05N3sbM=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: c623816d-7c50-4e0b-5883-08d71a6cf3cd
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Aug 2019 12:52:34.4586 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TirumaleswarReddy_Konda@McAfee.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB2359
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6605> : inlines <7131> : streams <1829527> : uri <2879149>
X-MC-Unique: GVT-iGSXPsaukUJR0V0VFg-1
X-Mimecast-Spam-Score: 0
Content-Type: multipart/alternative; boundary="_000_DM5PR16MB1705E536C86621FAFB2DDC71EAD50DM5PR16MB1705namp_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/4k9RRzEXQo308jCqgPa_Kvgi-l4>
Subject: Re: [Dots] WGLC for draft-dots-use-cases-19
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2019 12:52:48 -0000

From: Töma Gavrichenkov <ximaera@gmail.com>
Sent: Tuesday, August 6, 2019 5:59 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>
Cc: mohamed.boucadair@orange.com; Valery Smyslov <valery@smyslov.net>; dots@ietf.org; Xialiang (Frank, Network Standard & Patent Dept) <frank.xialiang@huawei.com>
Subject: Re: [Dots] WGLC for draft-dots-use-cases-19


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

________________________________
Peace,
On Tue, Aug 6, 2019, 2:52 PM Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@mcafee.com<mailto:TirumaleswarReddy_Konda@mcafee.com>> wrote:
When DMS generates the attack traffic information it should include both spoofed and attacker IP addresses (tagged with whether the IP address is spoofed or not).

I must say I don't understand what is the reason behind collecting spoofed IP addresses.  That is, especially with IPv6, an overly massive amount of data to store and transmit, and in 99,999% of cases it has exactly zero value for either attack mitigation or threat intel, b/c you may just generate that from your own /dev/urandom, it'd be of the same quality.


I am referring to reflection attacks (e.g. DNS amplification attack). The other attack could be where the surveillance IP camera's IP address is spoofed, traffic from this IP address is black-listed and it no longer can send feeds to its server (and the attacker can successfully launch a physical attack (e.g. home burglary)). The problem is with the following lines in the offload scenario:


   When the DDoS attack becomes severe
   and the DDoS mitigation system's utilization rate reaches its maximum
   capacity, the DDoS mitigation system can send mitigation requests
   with additional hints such as its blocked traffic information to the
   orchestrator.  Then the orchestrator can take further actions like
   requesting forwarding nodes such as routers to filter the traffic.

-Tiru

--
Töma

v2.23.0 | Report a Bug | By Email