Re: [Dots] Target-Attack-type expansion: more discussion

"MeiLing Chen" <> Thu, 09 May 2019 03:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2E69D1201DA for <>; Wed, 8 May 2019 20:28:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.59
X-Spam-Status: No, score=-2.59 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QBJfiZD0HP5K for <>; Wed, 8 May 2019 20:28:02 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id F0D9212022A for <>; Wed, 8 May 2019 20:28:00 -0700 (PDT)
Received: from (unknown[]) by rmmx-syy-dmz-app10-12010 (RichMail) with SMTP id 2eea5cd39e3ebc3-30763; Thu, 09 May 2019 11:27:58 +0800 (CST)
X-RM-TRANSID: 2eea5cd39e3ebc3-30763
X-RM-TagInfo: emlType=0
X-RM-SPAM-FLAG: 00000000
Received: from cmcc-PC (unknown[]) by rmsmtp-syy-appsvr09-12009 (RichMail) with SMTP id 2ee95cd39e3dd19-38a53; Thu, 09 May 2019 11:27:58 +0800 (CST)
X-RM-TRANSID: 2ee95cd39e3dd19-38a53
Date: Thu, 09 May 2019 11:28:00 +0800
From: MeiLing Chen <>
To: Töma Gavrichenkov <>
Cc: dots <>
References: <>, <>, <>, <>, <>, <>
X-Priority: 3
X-Has-Attach: no
X-Mailer: Foxmail[cn]
Mime-Version: 1.0
Message-ID: <>
Content-Type: multipart/alternative; boundary="----=_001_NextPart624311866641_=----"
Archived-At: <>
Subject: Re: [Dots] Target-Attack-type expansion: more discussion
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 09 May 2019 03:28:05 -0000

Hi, Töma
please see inline;

>On Mon, May 6, 2019 at 1:10 PM MeiLing Chen <> wrote:
>> Actually, It is more inclined to use TCP/IP four-layer protocol.
>Which layer is QUIC then?
>The Internet protocol suite is not really layered.  OSI model is, but
>the IETF as a whole tends to slip away from the layered model.  To
>quote Christian Huitema:
>"There is also beauty in *not* having a layered architecture [..]. It
>is great to see transport functions like acknowledgement or flow
>control fully contained in the Quic transport. Quic is about transport
>innovation, and that pretty much requires direct access to the network
>API. In practice, layered implementation hide that API, so the
>transport developers have to constantly negotiate with the
>intermediate layer developers."
>I would strongly oppose a classification based on "exploited protocol
>layers".  As attractive as it is academically, it makes operational
>issues more opaque.
[MeiLing]What we pay more attention to here is the method of attack;"protocol layer" is a field that we design for classification and definition; Because for different layers of protocol, the required parsing power and times are not the same.
For example, the DNS protocol can be resolved to the UDP layer or to the application (DNS) layer. The same problem applies to TCP and HTTP; In order to better analyze attacks and defend against attacks, we think it is more explicit and helpful with the indication of  the layer and type of protocol.
Dots mailing list