Re: [Dots] Target-Attack-type expansion: more discussion

"MeiLing Chen" <> Thu, 09 May 2019 03:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7A6681201DA for <>; Wed, 8 May 2019 20:33:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HWA-WYrH-Irb for <>; Wed, 8 May 2019 20:33:31 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 06E81120103 for <>; Wed, 8 May 2019 20:33:30 -0700 (PDT)
Received: from (unknown[]) by rmmx-syy-dmz-app06-12006 (RichMail) with SMTP id 2ee65cd39f89cb7-3085a; Thu, 09 May 2019 11:33:29 +0800 (CST)
X-RM-TRANSID: 2ee65cd39f89cb7-3085a
X-RM-TagInfo: emlType=0
X-RM-SPAM-FLAG: 00000000
Received: from cmcc-PC (unknown[]) by rmsmtp-syy-appsvr07-12007 (RichMail) with SMTP id 2ee75cd39f87f7e-3d6f6; Thu, 09 May 2019 11:33:28 +0800 (CST)
X-RM-TRANSID: 2ee75cd39f87f7e-3d6f6
Date: Thu, 09 May 2019 11:33:30 +0800
From: MeiLing Chen <>
To: Nik Teague <>, Töma Gavrichenkov <>
Cc: dots <>
References: <>, <>, <>, <>, <>, <>, <>
X-Priority: 3
X-Has-Attach: no
X-Mailer: Foxmail[cn]
Mime-Version: 1.0
Message-ID: <>
Content-Type: multipart/alternative; boundary="----=_001_NextPart644432017813_=----"
Archived-At: <>
Subject: Re: [Dots] Target-Attack-type expansion: more discussion
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 09 May 2019 03:33:34 -0000

Hi, Nik and Töma,
"procotol layer" is a field designed for attack type definition and classification, but the actual mitigation operation depends on the mitigation method provided by mitigators.

-------- Original Message --------
On May 6, 2019, 11:52 AM, Töma Gavrichenkov <> wrote:

On Mon, May 6, 2019 at 1:10 PM MeiLing Chen wrote:
> Actually, It is more inclined to use TCP/IP four-layer protocol.

Which layer is QUIC then?

The Internet protocol suite is not really layered. OSI model is, but
the IETF as a whole tends to slip away from the layered model. To
quote Christian Huitema:

"There is also beauty in *not* having a layered architecture [..]. It
is great to see transport functions like acknowledgement or flow
control fully contained in the Quic transport. Quic is about transport
innovation, and that pretty much requires direct access to the network
API. In practice, layered implementation hide that API, so the
transport developers have to constantly negotiate with the
intermediate layer developers."

I would strongly oppose a classification based on "exploited protocol
layers". As attractive as it is academically, it makes operational
issues more opaque.


Layers have no real relevance... Using the memcached example - the exploitation may be at the application but the mitigation could easily be handled by a standard ACL.