Re: [Dots] Comments for draft-hayashi-dots-dms-offload
H Y <yuuhei.hayashi@gmail.com> Tue, 06 August 2019 09:09 UTC
Return-Path: <yuuhei.hayashi@gmail.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A24112014A for <dots@ietfa.amsl.com>; Tue, 6 Aug 2019 02:09:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id raYKoc80xJzi for <dots@ietfa.amsl.com>; Tue, 6 Aug 2019 02:09:18 -0700 (PDT)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2565120148 for <dots@ietf.org>; Tue, 6 Aug 2019 02:09:17 -0700 (PDT)
Received: by mail-lf1-x135.google.com with SMTP id v16so6586682lfg.11 for <dots@ietf.org>; Tue, 06 Aug 2019 02:09:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=KD+w0SynlHc40Bln4o8R3sg1SBz919wXLSpoBwEy2rQ=; b=BuUmzWO6SlUzBv9hF6pKGnc/6xx6UFHHnW3sk5Rn0SREpChunLQnvpDsI77Oxmk8ZT 8bUKMdzhrfu1EWAr5XGczHjREr6cGkOwUJNYBDyqDwrMJ+nSaop7AU4uBZy/lo0vU8c6 a3vZVx3oZqKrs+EjhV/SMcs2cOqRh7fDUGtXfEAQLK1u97IvVY4SybDD91SyERdt9lwR gZC+4YExfEHZMFo9Vv/fDgUZESj/S+iZREufGGOShG4ArlyQlXeIR+SQwPhfa8OGrfGq cMn3OAUOYBECn/VgXbX6fhAE414p2gHJfkBOhe9G+PwHIEJgQ2qRutDLszigH7XyY1Ha D1CQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=KD+w0SynlHc40Bln4o8R3sg1SBz919wXLSpoBwEy2rQ=; b=pjQpPbT3NLFup1zRB3Wt4UI42rDSEDID1UtTdqaqEX07cJInGnpzUq7W2M8iZGFQD+ d/y8iiyUyZjEMiZKXN9y4nmAfgsergqGc2Hw+veMZMMaIf+DK+3YB++cBFQXsNggpDZD ohAhH3RQ65xetfCFSQwJ7s9jHf/PwA57KwbX2HMak3rwUt2D2s/U27GTF9h1g+JTYLbZ pr2mLC1Qxj91fQl3z3Hj0ZD3ZM3UL6kkBXB+MWOlQBH0XsAAms68XuF1dNwKRW1lRj8+ S+Vo54afxy4Nwbcblf2ZGJDETVO4ey/VAyHdOICTWXZL66QVoU7etoxAn8W1PlvkxbjG Nqdw==
X-Gm-Message-State: APjAAAVFnhHwupnB3KzOtHWaKMk9liMbbs9gTCBmWlV++MkHpwVD1nen LVllwlIFzwGA/bexZnswMnnWj92FLBHZ7Ag9PXM=
X-Google-Smtp-Source: APXvYqzdnOKn6jPIac4zx2dk7ciiF7ITslhESmWMKuGuVxJZjh+9085l077SZYz8OyF2IMRLsQOcgBd0WfEHfNC+b2s=
X-Received: by 2002:ac2:5097:: with SMTP id f23mr1710396lfm.130.1565082555710; Tue, 06 Aug 2019 02:09:15 -0700 (PDT)
MIME-Version: 1.0
References: <30E95A901DB42F44BA42D69DB20DFA6A6DE3F02A@nkgeml513-mbs.china.huawei.com>
In-Reply-To: <30E95A901DB42F44BA42D69DB20DFA6A6DE3F02A@nkgeml513-mbs.china.huawei.com>
From: H Y <yuuhei.hayashi@gmail.com>
Date: Tue, 06 Aug 2019 18:08:05 +0900
Message-ID: <CAA8pjUMv2kY8w=ZMaP_bpxZaYFem3=YeHoWLrxRMnd+p9tiz3A@mail.gmail.com>
To: "Panwei (William)" <william.panwei@huawei.com>
Cc: dots <dots@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/KYnhPAP5ewKiHkLJQzo3po9RLMM>
Subject: Re: [Dots] Comments for draft-hayashi-dots-dms-offload
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2019 09:09:21 -0000
Hi Wei Pan, Thank you for reading my draft carefully. Please see inline. 2019年8月6日(火) 12:52 Panwei (William) <william.panwei@huawei.com>: > > Hi Yuhei, > > > > In the IETF 105 meeting, there wasn’t enough time to discuss your draft, so I put my comments here for more discussion. > > My comments are all about the ‘Signaling Method and Conveyed Information’ for different Attacks. The following figure is copied from your draft. > > +-------------+-----------------------------------+------------------+ > > | | Reflection Attack | Non-Reflection | > > | | | Attack | > > +-------------+-----------------------------------+------------------+ > > | Out-of-band | Attack Time | > > | case | Method : Data Channel | > > | | Info : src_ip, src_port, dst_ip, dst_port, protocol | > > +-------------+-----------------------------------+------------------+ > > | In-band | Attack Time | Attack Time | > > | case | (Number of reflector is small) | Method : Signal | > > | | Method : Signal Channel with src | Channel | > > | | Info : src_ip, src_port, | Info : dst_ip, | > > | | dst_ip, protocol | dst_port, | > > | +-----------------------------------+ protocol | > > | | Attack Time | | > > | | (Number of reflector is enormous) | | > > | | Method : Signal Channel with src | | > > | | Info : src_port, dst_ip, protocol | | > > | +-----------------------------------+------------------+ > > | | Peace Time | Peace Time | > > | | Method : Data Channel | Method : Data | > > | | Info : src_port, | Channel | > > | | dst_ip, protocol | Info : dst_ip, | > > | | | dst_port, | > > | | | protocol | > > | | | | > > | | Attack Time | Attack Time | > > | | Method : Signal Channel | Method : Signal | > > | | Control Filtering | Channel | > > | | Info : ACL name | Control Filtering| > > | | | Info : ACL name | > > |-------------+------------------------------------------------------+ > > > > 1. For ‘In-band Case’ and ‘Attack Time’, ‘dst_port’ is conveyed for ‘Non-Reflection Attack’ and isn’t for ‘Reflection Attack’, so I infer that maybe a lot of or even all ports will be attacked on ‘Reflection Attack’ so you can’t or don’t need to convey ‘dst_port’. Also I noticed that non source attribute is conveyed on ‘Non-Reflection Attack’. So, different kinds of information are conveyed in different situations, but I didn’t find any references for your conclusions, can you give some references or descriptions to explain how you get the conclusions? [Yuhei] So far, I conclude it based on my personal analysis of attack (or network stress?) tools. > When it is under non-reflection attack, src_ip and src_port information cannot be conveyed because attackers usually randomize the parameters so number of its become enormous. For example, a non-reflection attack (or network stress?) tool such as g3m seems that it generates attack packets with randomized src_ip and src_port as default. https://github.com/WorkaroundTech/g3m/blob/master/g3m.c > On the other hand, when it is under reflection attack, dst_port information cannot be conveyed because attackers usually randomize src_port so the number of dst_port of attack packets reached to victim become enormous. For example, a reflection attack tool https://github.com/OffensivePython/Saddam/blob/master/Saddam.py seems that it generates attack packets with randomized src_port. > 2. For ‘Reflection Attack’, ‘In-band Case’ and ‘Attack Time’, you give two methods based on the number of reflector, what I’m confused is how to distinguish whether the number is small or enormous. I think the comparison is a very subjective thing, different people may have different understanding, so I don’t know whether it’s suitable or common to just say the number is small or enormous. [Yuhei] Thank you for sharing your concern. A threshold is needed to distinguish the number is small or enormous, and the threshold can be configured based on the capacity of ACLs of forwarding node. > 3. For ‘In-band Case’ and ‘Peace Time’, you want to send the ACLs by Data Channel before the attack, and activate them by Signal Channel during attack. But how do you know the targets and attack sources before the attack, especially the DMS may be in charge of the whole network? [Yuhei] So far, it is assumed that the DMS is deployed at the enterprise network and it knows the global address of the network. Against reflection attack, the DMS sends the global address as dst_ip of ACL and well-known abused port (such as UDP 53, 123, etc.) as src_port of ACL in peacetime. Against non-reflection attack, the DMS sends the global address as dst_ip of ACL and well-known abused port (such as TCP 80, 443, etc.) as dst_port of ACL in peacetime. Thanks, Yuhei > Regards & Thanks! > > 潘伟 Wei Pan > > 华为技术有限公司 Huawei Technologies Co., Ltd. > > -- ---------------------------------- Yuuhei HAYASHI 08065300884 yuuhei.hayashi@gmail.com iehuuy_0220@docomo.ne.jp ----------------------------------