[Dots] Signal / Data / Alias / Filter Implementation

["Jon Shallow" <supjps-ietf@jpshallow.com>]

Hi There,

 

I am trying to get my mind around how to implement this and have some
questions / statements.

 

Signal Channel

 

The Signal channel looks very like Destination RTBH with some extras
(protocols / port) as everything is target-* based.  There is no concept of
source-ip, source-port (to handle reflection attacks) etc. or dealing with
fragmented packet, icmp types and rate-limiting.

 

The DOTS client may have the smarts to work out what are the problematic
source-* etc. values (e.g. can generate smart BGP FlowSpec rules) are that
will sensibly control the DDoS Attack.

 

It is possible to use a previously defined alias over the Data Channel as an
alternative for a mitigation request, but this too has source-* etc.
limitations.

I have not found a way of using a Filter defined over the Data Channel as a
signal

 

Sending a signal will cause all traffic to stop (or rate-limit possibly if
it also happens to match a filter) to the target IP on the ports in question
-  DDoS attack is now effective unless the DOTS server elects (via DNS or
BGP swing) to scrub that particular traffic (by controlling rates, Source
IPs / Source Ports etc.).

 

Data Channel

 

Can be used to set up aliases for later use.  These again however appear to
be target-* based, with no source-*, icmp type or fragmentation
capabilities.

 

Can set up a Filter, which does include both source and destination IPs, but
appears that it is acted on when pushed over the data channel, and cannot be
send as a signal - appears to be in place more for black/white listing IPs
than as a signal for mitigation, but does include rate-limiting

 

Questions

 

How do we handle Source-* information in a mitigation signal request?

How do we handle specific ICMP types  in a mitigation signal request?

How do we handle fragmentation  in a mitigation signal request?

 

Regards

 

Jon