IETF Logo Mail Archive

Re: [Dots] Workflow question about draft-h-dots-mitigation-offload-expansion-00

Töma Gavrichenkov <ximaera@gmail.com> Sat, 03 November 2018 03:57 UTC

Return-Path: <ximaera@gmail.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7F90130E1D for <dots@ietfa.amsl.com>; Fri, 2 Nov 2018 20:57:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XxD8DKCqNCIi for <dots@ietfa.amsl.com>; Fri, 2 Nov 2018 20:57:34 -0700 (PDT)
Received: from mail-yw1-xc2f.google.com (mail-yw1-xc2f.google.com [IPv6:2607:f8b0:4864:20::c2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 557F8128A6E for <dots@ietf.org>; Fri, 2 Nov 2018 20:57:34 -0700 (PDT)
Received: by mail-yw1-xc2f.google.com with SMTP id v77-v6so1586447ywc.4 for <dots@ietf.org>; Fri, 02 Nov 2018 20:57:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=6dQV//2dtLpjftHjzjagvrv5HFSHySjafjSaLRC5Fi4=; b=UmnmJxcMai6Oid5acVoFD4H4jzCnAvsDsUH86pP7Q9Hm2p4rnfhaXMX2r/vAGPLcO4 8eXBsUohlA3ud4TOs1skX2ZuAh+apFxsZ7T2S2kOg/DYHXRB1UD9vmcnVfIRvJeeaWPr tLVMiX2mLJSNYNIi6/kITZkMJ/OAim9425AB1IDVZjIjb93myFspQkfgTJCHfXxE82Uh l4uXq5rGwqdvUvRPi1vF1YLe70X11Xv03rpBl604/ItaldM/vG4U8VcqmAWvMuSml5nZ JH2GGMNw2TpZpFfHGQiil1rnkqV2Cq9H1okQdeEeQbbg3adSEGKoKqiMF/Mad5515rTJ 0lqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=6dQV//2dtLpjftHjzjagvrv5HFSHySjafjSaLRC5Fi4=; b=Wso35GCQTkP69Sj/QIS/t76gLaR45FEeouR5kPsnJZM1OH9XhfziIV4Y+Emo+cprqH gaP3RDYXomO8g2rTI3fzsYliRb7tirkXJu5e+QzmEa7buH57i95IYuvqgLmCs3yF5sVG Wd8o3jPaHKZHS8VuIIBE5uOWjOdRMVlDA9pYNQ5+0bzV39mxaPhMk3HOJX8RlSZ5RAaa Yb41uTDrr9LMqIMwaePeYnhYqH+TnLYCGCxQlZ6T397Mnnvd9idkH57tFrKWNY6vtEsm aDkDM2w1BAocFasXKY4xT6bsdVVC1emcJhxRjDNHnuDz3mdVcKpCoWSnOUUfI5I2+Blh K8hQ==
X-Gm-Message-State: AGRZ1gIKuO8w270ReCzaZ0y6s1dNWwmqv4a/qMNVCJJF+bcH/wtMZSsU 7an1vm05NU5xphSKxGviICYeE2dXj/v6bFnT4Voyt5KETuQ=
X-Google-Smtp-Source: AJdET5cWzhtiRHL2aXUMA+7MsUW2Tn10cKXBBUN1lkcQOQdjfCg5226fjYeUsLTz2bZQn2h5cNv5Cmup7GRKgz735us=
X-Received: by 2002:a81:af5a:: with SMTP id x26-v6mr14056476ywj.281.1541217453360; Fri, 02 Nov 2018 20:57:33 -0700 (PDT)
MIME-Version: 1.0
References: <359EC4B99E040048A7131E0F4E113AFC0181A38D8D@marathon>
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC0181A38D8D@marathon>
From: Töma Gavrichenkov <ximaera@gmail.com>
Date: Sat, 03 Nov 2018 07:57:21 +0400
Message-ID: <CALZ3u+ZSaj3cVBzxnzC9FOa1HifROVtG_gAbXSMcXt-XGnbdwA@mail.gmail.com>
To: rdd@cert.org
Cc: dots <dots@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/NaqJzoncVenrnGf6Ibs8WbB_yB4>
Subject: Re: [Dots] Workflow question about draft-h-dots-mitigation-offload-expansion-00
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Nov 2018 03:57:36 -0000

Hello all,

On Sat, Nov 3, 2018 at 6:15 AM Roman Danyliw <rdd@cert.org> wrote:
> [..]
> (1) [telemetry system]->[orchestrator]: DOTS Mitigation Request
> (2) [network admin]->[orchestrator]: DOTS Mitigation Request
> (3) [orchestrator]->[routers/switch]: BGP redirect mitigation
> (4) [DMS]->[orchestrator]: DOTS Mitigation Request
> (5) [orchestrator]->[routers/switch]: BGP redirect mitigation
>
> ** If the orchestrator tasked the routers/switches per (3) to handle
> the attack traffic, how did the DMS get involved in the mitigation?
> What's the difference between the attack traffic handled by (3)
> and the DMS?  How is that coordination happening?

1) I'm not the author of the draft, but as far as I understand it the
use case is as follows (and you might want to take that with a grain
of salt):

Actually, the orchestrator doesn't ask for handling the *attack*
traffic during the step 3. At this point, routers still have no clue
about what's the attack traffic is (they only know who's the target,
as reported by the telemetry system), so they just start routing *all*
of the inbound traffic (including legitimate one) coming towards the
target IP address or IP prefix, via the DMS.

2) Going through the same paragraph, I'm a little bit concerned about
the "top-talker" part. Under most conditions and assuming most common
mitigation boxes, it's either useless or even dangerous to do that
during a volume-based DDoS attack. I'd suggest to put, e.g., an
amplification example here, with port blocking done instead of IP
address blocking.

| Töma Gavrichenkov
| gpg: 2deb 97b1 0a3c 151d b67f 1ee5 00e7 94bc 4d08 9191
| mailto: ximaera@gmail.com
| fb: ximaera
| telegram: xima_era
| skype: xima_era
| tel. no: +7 916 515 49 58

v2.23.0 | Report a Bug | By Email