< draft-ietf-dots-telemetry-use-cases-05.txt | draft-ietf-dots-telemetry-use-cases-06.txt > | |||
---|---|---|---|---|
DOTS Y. Hayashi | DOTS Y. Hayashi | |||
Internet-Draft NTT | Internet-Draft NTT | |||
Intended status: Informational M. Chen | Intended status: Informational M. Chen | |||
Expires: August 17, 2022 Li. Su | Expires: August 17, 2022 Li. Su | |||
CMCC | CMCC | |||
February 13, 2022 | February 13, 2022 | |||
Use Cases for DDoS Open Threat Signaling (DOTS) Telemetry | Use Cases for DDoS Open Threat Signaling (DOTS) Telemetry | |||
draft-ietf-dots-telemetry-use-cases-05 | draft-ietf-dots-telemetry-use-cases-06 | |||
Abstract | Abstract | |||
Denial-of-service Open Threat Signaling (DOTS) Telemetry enriches the | Denial-of-service Open Threat Signaling (DOTS) Telemetry enriches the | |||
base DOTS protocols to assist the mitigator in using efficient DDoS- | base DOTS protocols to assist the mitigator in using efficient DDoS- | |||
attack-mitigation techniques in a network. This document presents | attack-mitigation techniques in a network. This document presents | |||
sample use cases for DOTS Telemetry: what components are deployed in | sample use cases for DOTS Telemetry: what components are deployed in | |||
the network, how they cooperate, and what information is exchanged to | the network, how they cooperate, and what information is exchanged to | |||
effectively use these techniques. | effectively use these techniques. | |||
skipping to change at page 2, line 18 ¶ | skipping to change at page 2, line 18 ¶ | |||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
3. Telemetry Use Cases . . . . . . . . . . . . . . . . . . . . . 3 | 3. Telemetry Use Cases . . . . . . . . . . . . . . . . . . . . . 3 | |||
3.1. Mitigation Resources Assignment . . . . . . . . . . . . . 3 | 3.1. Mitigation Resources Assignment . . . . . . . . . . . . . 3 | |||
3.1.1. Mitigating Attack Flow of Top-talker Preferentially . 3 | 3.1.1. Mitigating Attack Flow of Top-talker Preferentially . 3 | |||
3.1.2. Optimal DMS Selection for Mitigation . . . . . . . . 6 | 3.1.2. Optimal DMS Selection for Mitigation . . . . . . . . 6 | |||
3.1.3. Best-path Selection for Redirection . . . . . . . . . 8 | 3.1.3. Best-path Selection for Redirection . . . . . . . . . 8 | |||
3.1.4. Short but Extreme Volumetric Attack Mitigation . . . 10 | 3.1.4. Short but Extreme Volumetric Attack Mitigation . . . 10 | |||
3.1.5. Selecting Mitigation Technique Based on Attack Type . 13 | 3.1.5. Selecting Mitigation Technique Based on Attack Type . 12 | |||
3.2. Detailed DDoS Mitigation Report . . . . . . . . . . . . . 16 | 3.2. Detailed DDoS Mitigation Report . . . . . . . . . . . . . 15 | |||
3.3. Tuning Mitigation Resources . . . . . . . . . . . . . . . 19 | 3.3. Tuning Mitigation Resources . . . . . . . . . . . . . . . 18 | |||
3.3.1. Supervised Machine Learning of Flow Collector . . . . 19 | 3.3.1. Supervised Machine Learning of Flow Collector . . . . 18 | |||
3.3.2. Unsupervised Machine Learning of Flow Collector . . . 22 | 3.3.2. Unsupervised Machine Learning of Flow Collector . . . 21 | |||
4. Security Considerations . . . . . . . . . . . . . . . . . . . 24 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 23 | |||
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 | |||
6. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 24 | 6. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 23 | |||
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 24 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 | |||
7.1. Normative References . . . . . . . . . . . . . . . . . . 24 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 23 | |||
7.2. Informative References . . . . . . . . . . . . . . . . . 24 | 7.2. Informative References . . . . . . . . . . . . . . . . . 23 | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
1. Introduction | 1. Introduction | |||
Denial-of-Service (DDoS) attacks, such as volumetric attacks and | Denial-of-Service (DDoS) attacks, such as volumetric attacks and | |||
resource-consumption attacks, are critical threats to be handled by | resource-consumption attacks, are critical threats to be handled by | |||
service providers. When such DDoS attacks occur, service providers | service providers. When such DDoS attacks occur, service providers | |||
have to mitigate them immediately to protect or recover their | have to mitigate them immediately to protect or recover their | |||
services. | services. | |||
Therefore, for service providers to immediately protect their network | Therefore, for service providers to immediately protect their network | |||
skipping to change at page 9, line 28 ¶ | skipping to change at page 9, line 30 ¶ | |||
], | ], | |||
"total-attack-traffic": [ | "total-attack-traffic": [ | |||
{ | { | |||
"unit": "megabit-ps", | "unit": "megabit-ps", | |||
"low-percentile-g": "600", | "low-percentile-g": "600", | |||
"mid-percentile-g": "800", | "mid-percentile-g": "800", | |||
"high-percentile-g": "1000", | "high-percentile-g": "1000", | |||
"peak-g": "1100", | "peak-g": "1100", | |||
"current-g": "700" | "current-g": "700" | |||
} | } | |||
], | ||||
"attack-detail": [ | ||||
{ | ||||
"vendor-id": 32473, | ||||
"attack-id": 77, | ||||
"start-time": "1644539068", | ||||
"attack-severity": "high", | ||||
"top-talker":{ | ||||
"talker": [ | ||||
{ | ||||
"source-prefix": "2001:db8::2/128", | ||||
"total-attack-traffic":[ | ||||
{ | ||||
"unit": "megabit-ps", | ||||
"mid-percentile-g": "300" | ||||
} | ||||
] | ||||
}, | ||||
{ | ||||
"source-prefix": "2001:db8::3/128", | ||||
"total-attack-traffic":[ | ||||
{ | ||||
"unit": "megabit-ps", | ||||
"mid-percentile-g": "400" | ||||
} | ||||
] | ||||
} | ||||
] | ||||
} | ||||
} | ||||
] | ] | |||
} | } | |||
] | ] | |||
} | } | |||
} | } | |||
Figure 6: Example of Message Body with Total Attack Traffic and Total Traffic | Figure 6: Example of Message Body with Total Attack Traffic and Total Traffic | |||
In this use case, the forwarding nodes send statics of traffic flow | In this use case, the forwarding nodes send statics of traffic flow | |||
to the flow collectors using, e.g., IPFIX [RFC7011]. When DDoS | to the flow collectors using, e.g., IPFIX [RFC7011]. When DDoS | |||
skipping to change at page 15, line 40 ¶ | skipping to change at page 14, line 40 ¶ | |||
"connection": 300 | "connection": 300 | |||
} | } | |||
] | ] | |||
} | } | |||
], | ], | |||
"attack-detail": [ | "attack-detail": [ | |||
{ | { | |||
"vendor-id": 32473, | "vendor-id": 32473, | |||
"attack-id": 77, | "attack-id": 77, | |||
"start-time": "1644539068", | "start-time": "1644539068", | |||
"attack-severity": "high", | "attack-severity": "high" | |||
"attack-description": "DNS amplification Attack: This attack is a type of reflection attack in which attackers spoofes a target's IP address. The attackers abuses vulnerbilities in DNS servers to turn small queries into larger payloads." | ||||
}, | }, | |||
{ | { | |||
"vendor-id": 32473, | "vendor-id": 32473, | |||
"attack-id": 92, | "attack-id": 92, | |||
"start-time": "1644539080", | "start-time": "1644539080", | |||
"attack-severity": "high", | "attack-severity": "high" | |||
"attack-description":"NTP amplification Attack: This attack is a type of reflection attack in which attackers spoofes a target's IP address. The attackers abuses vulnerbilities in NTP servers to turn small queries into larger payloads." | ||||
} | } | |||
] | ] | |||
} | } | |||
] | ] | |||
} | ||||
} | ||||
In this example, attack mappings as below are shared using data-channel in advance. | ||||
{ | ||||
"ietf-dots-mapping:vendor-mapping": { | ||||
"vendor": [ | ||||
{ | ||||
"vendor-id": 32473, | ||||
"vendor-name": "mitigator-c", | ||||
"last-updated": "1629898958", | ||||
"attack-mapping": [ | ||||
{ | ||||
"attack-id": 77, | ||||
"attack-description": | ||||
"attack-description": "DNS amplification Attack: This attack is a type of reflection attack in which attackers spoofes a target's IP address. The attackers abuses vulnerbilities in DNS servers to turn small queries into larger payloads." | ||||
}, | ||||
{ | ||||
"attack-id": 92, | ||||
"attack-description": | ||||
"attack-description":"NTP amplification Attack: This attack is a type of reflection attack in which attackers spoofes a target's IP address. The attackers abuses vulnerbilities in NTP servers to turn small queries into larger payloads." | ||||
} | ||||
] | ||||
} | ||||
] | ||||
} | } | |||
} | } | |||
Figure 10: Example of Message Body with Total Attack Traffic, Total Attack Traffic Protocol, Total Attack Connection and Attack Type | Figure 10: Example of Message Body with Total Attack Traffic, Total Attack Traffic Protocol, Total Attack Connection and Attack Type | |||
In this use case, the forwarding nodes send statics of traffic flow | In this use case, the forwarding nodes send statics of traffic flow | |||
to the flow collectors using, e.g., IPFIX [RFC7011]. When DDoS | to the flow collectors using, e.g., IPFIX [RFC7011]. When DDoS | |||
attacks occur, the flow collectors identify attack traffic and send | attacks occur, the flow collectors identify attack traffic and send | |||
attack type information to the orchestrator the using "vendor-id" and | attack type information to the orchestrator the using "vendor-id" and | |||
"attack-id" telemetry attributes. The orchestrator then resolves | "attack-id" telemetry attributes. The orchestrator then resolves | |||
End of changes. 7 change blocks. | ||||
48 lines changed or deleted | 39 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |