Diff: draft-ietf-dots-telemetry-use-cases-05.txt - draft-ietf-dots-telemetry-use-cases-06.txt

	< draft-ietf-dots-telemetry-use-cases-05.txt	draft-ietf-dots-telemetry-use-cases-06.txt >

	DOTS Y. Hayashi	DOTS Y. Hayashi
	Internet-Draft NTT	Internet-Draft NTT
	Intended status: Informational M. Chen	Intended status: Informational M. Chen
	Expires: August 17, 2022 Li. Su	Expires: August 17, 2022 Li. Su
	CMCC	CMCC
	February 13, 2022	February 13, 2022

	Use Cases for DDoS Open Threat Signaling (DOTS) Telemetry	Use Cases for DDoS Open Threat Signaling (DOTS) Telemetry

	draft-ietf-dots-telemetry-use-cases-05	draft-ietf-dots-telemetry-use-cases-06

	Abstract	Abstract

	Denial-of-service Open Threat Signaling (DOTS) Telemetry enriches the	Denial-of-service Open Threat Signaling (DOTS) Telemetry enriches the
	base DOTS protocols to assist the mitigator in using efficient DDoS-	base DOTS protocols to assist the mitigator in using efficient DDoS-
	attack-mitigation techniques in a network. This document presents	attack-mitigation techniques in a network. This document presents
	sample use cases for DOTS Telemetry: what components are deployed in	sample use cases for DOTS Telemetry: what components are deployed in
	the network, how they cooperate, and what information is exchanged to	the network, how they cooperate, and what information is exchanged to
	effectively use these techniques.	effectively use these techniques.


	skipping to change at page 2, line 18 ¶	skipping to change at page 2, line 18 ¶
	Table of Contents	Table of Contents

	1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2	1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
	2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3	2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
	3. Telemetry Use Cases . . . . . . . . . . . . . . . . . . . . . 3	3. Telemetry Use Cases . . . . . . . . . . . . . . . . . . . . . 3
	3.1. Mitigation Resources Assignment . . . . . . . . . . . . . 3	3.1. Mitigation Resources Assignment . . . . . . . . . . . . . 3
	3.1.1. Mitigating Attack Flow of Top-talker Preferentially . 3	3.1.1. Mitigating Attack Flow of Top-talker Preferentially . 3
	3.1.2. Optimal DMS Selection for Mitigation . . . . . . . . 6	3.1.2. Optimal DMS Selection for Mitigation . . . . . . . . 6
	3.1.3. Best-path Selection for Redirection . . . . . . . . . 8	3.1.3. Best-path Selection for Redirection . . . . . . . . . 8
	3.1.4. Short but Extreme Volumetric Attack Mitigation . . . 10	3.1.4. Short but Extreme Volumetric Attack Mitigation . . . 10

	3.1.5. Selecting Mitigation Technique Based on Attack Type . 13	3.1.5. Selecting Mitigation Technique Based on Attack Type . 12
	3.2. Detailed DDoS Mitigation Report . . . . . . . . . . . . . 16	3.2. Detailed DDoS Mitigation Report . . . . . . . . . . . . . 15
	3.3. Tuning Mitigation Resources . . . . . . . . . . . . . . . 19	3.3. Tuning Mitigation Resources . . . . . . . . . . . . . . . 18
	3.3.1. Supervised Machine Learning of Flow Collector . . . . 19	3.3.1. Supervised Machine Learning of Flow Collector . . . . 18
	3.3.2. Unsupervised Machine Learning of Flow Collector . . . 22	3.3.2. Unsupervised Machine Learning of Flow Collector . . . 21
	4. Security Considerations . . . . . . . . . . . . . . . . . . . 24	4. Security Considerations . . . . . . . . . . . . . . . . . . . 23
	5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24	5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23
	6. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 24	6. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 23
	7. References . . . . . . . . . . . . . . . . . . . . . . . . . 24	7. References . . . . . . . . . . . . . . . . . . . . . . . . . 23
	7.1. Normative References . . . . . . . . . . . . . . . . . . 24	7.1. Normative References . . . . . . . . . . . . . . . . . . 23
	7.2. Informative References . . . . . . . . . . . . . . . . . 24	7.2. Informative References . . . . . . . . . . . . . . . . . 23
	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24

	1. Introduction	1. Introduction

	Denial-of-Service (DDoS) attacks, such as volumetric attacks and	Denial-of-Service (DDoS) attacks, such as volumetric attacks and
	resource-consumption attacks, are critical threats to be handled by	resource-consumption attacks, are critical threats to be handled by
	service providers. When such DDoS attacks occur, service providers	service providers. When such DDoS attacks occur, service providers
	have to mitigate them immediately to protect or recover their	have to mitigate them immediately to protect or recover their
	services.	services.

	Therefore, for service providers to immediately protect their network	Therefore, for service providers to immediately protect their network

	skipping to change at page 9, line 28 ¶	skipping to change at page 9, line 30 ¶
	],	],
	"total-attack-traffic": [	"total-attack-traffic": [
	{	{
	"unit": "megabit-ps",	"unit": "megabit-ps",
	"low-percentile-g": "600",	"low-percentile-g": "600",
	"mid-percentile-g": "800",	"mid-percentile-g": "800",
	"high-percentile-g": "1000",	"high-percentile-g": "1000",
	"peak-g": "1100",	"peak-g": "1100",
	"current-g": "700"	"current-g": "700"
	}	}

	],
	"attack-detail": [
	{
	"vendor-id": 32473,
	"attack-id": 77,
	"start-time": "1644539068",
	"attack-severity": "high",
	"top-talker":{
	"talker": [
	{
	"source-prefix": "2001:db8::2/128",
	"total-attack-traffic":[
	{
	"unit": "megabit-ps",
	"mid-percentile-g": "300"
	}
	]
	},
	{
	"source-prefix": "2001:db8::3/128",
	"total-attack-traffic":[
	{
	"unit": "megabit-ps",
	"mid-percentile-g": "400"

	}
	]
	}
	]
	}
	}
	]	]
	}	}
	]	]
	}	}
	}	}

	Figure 6: Example of Message Body with Total Attack Traffic and Total Traffic	Figure 6: Example of Message Body with Total Attack Traffic and Total Traffic

	In this use case, the forwarding nodes send statics of traffic flow	In this use case, the forwarding nodes send statics of traffic flow
	to the flow collectors using, e.g., IPFIX [RFC7011]. When DDoS	to the flow collectors using, e.g., IPFIX [RFC7011]. When DDoS

	skipping to change at page 15, line 40 ¶	skipping to change at page 14, line 40 ¶
	"connection": 300	"connection": 300
	}	}
	]	]
	}	}
	],	],
	"attack-detail": [	"attack-detail": [
	{	{
	"vendor-id": 32473,	"vendor-id": 32473,
	"attack-id": 77,	"attack-id": 77,
	"start-time": "1644539068",	"start-time": "1644539068",

	"attack-severity": "high",	"attack-severity": "high"
	"attack-description": "DNS amplification Attack: This attack is a type of reflection attack in which attackers spoofes a target's IP address. The attackers abuses vulnerbilities in DNS servers to turn small queries into larger payloads."
	},	},
	{	{
	"vendor-id": 32473,	"vendor-id": 32473,
	"attack-id": 92,	"attack-id": 92,
	"start-time": "1644539080",	"start-time": "1644539080",

	"attack-severity": "high",	"attack-severity": "high"
	"attack-description":"NTP amplification Attack: This attack is a type of reflection attack in which attackers spoofes a target's IP address. The attackers abuses vulnerbilities in NTP servers to turn small queries into larger payloads."
	}	}
	]	]
	}	}
	]	]

		}
		}
		In this example, attack mappings as below are shared using data-channel in advance.


		{
		"ietf-dots-mapping:vendor-mapping": {
		"vendor": [
		{
		"vendor-id": 32473,
		"vendor-name": "mitigator-c",
		"last-updated": "1629898958",
		"attack-mapping": [
		{
		"attack-id": 77,
		"attack-description":
		"attack-description": "DNS amplification Attack: This attack is a type of reflection attack in which attackers spoofes a target's IP address. The attackers abuses vulnerbilities in DNS servers to turn small queries into larger payloads."
		},
		{
		"attack-id": 92,
		"attack-description":
		"attack-description":"NTP amplification Attack: This attack is a type of reflection attack in which attackers spoofes a target's IP address. The attackers abuses vulnerbilities in NTP servers to turn small queries into larger payloads."
		}
		]
		}
		]
	}	}
	}	}

	Figure 10: Example of Message Body with Total Attack Traffic, Total Attack Traffic Protocol, Total Attack Connection and Attack Type	Figure 10: Example of Message Body with Total Attack Traffic, Total Attack Traffic Protocol, Total Attack Connection and Attack Type

	In this use case, the forwarding nodes send statics of traffic flow	In this use case, the forwarding nodes send statics of traffic flow
	to the flow collectors using, e.g., IPFIX [RFC7011]. When DDoS	to the flow collectors using, e.g., IPFIX [RFC7011]. When DDoS
	attacks occur, the flow collectors identify attack traffic and send	attacks occur, the flow collectors identify attack traffic and send
	attack type information to the orchestrator the using "vendor-id" and	attack type information to the orchestrator the using "vendor-id" and
	"attack-id" telemetry attributes. The orchestrator then resolves	"attack-id" telemetry attributes. The orchestrator then resolves

End of changes. 7 change blocks.
	48 lines changed or deleted	39 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/