Re: [Dots] New Version Notification for draft-reddy-dots-telemetry-02.txt

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Tue, 01 October 2019 07:43 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 418DB120143 for <dots@ietfa.amsl.com>; Tue, 1 Oct 2019 00:43:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QFzOaL07h06v for <dots@ietfa.amsl.com>; Tue, 1 Oct 2019 00:43:49 -0700 (PDT)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [216.205.24.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF8AF120119 for <dots@ietf.org>; Tue, 1 Oct 2019 00:43:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1569915827; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=D71dW8ZSUIBZrfK308OQ7bTZOUEXn3eB55K/IOgZCJo=; b=kkxZQeI9ZrcLfAVzMJdSzb+axU17gXzBrSsDmlQFoEdWNBxOILN/uSKl777SAkgeR7tSQx TDVEYxqP0wDHnJGMgaq8SG/gYfyV/w5LLJ+UGI8kKwP/pLVUxGvDWCABJJZLkB3yUBdRlS 9QvbyZwFowhPD8BsJdXU78ZyG9dyHEU=
Received: from NAM05-BY2-obe.outbound.protection.outlook.com (mail-by2nam05lp2053.outbound.protection.outlook.com [104.47.50.53]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-197-Aoi7iiyJPDSoumfYeYuchg-1; Tue, 01 Oct 2019 03:43:44 -0400
Received: from DM5PR16MB1705.namprd16.prod.outlook.com (10.172.44.147) by DM5PR16MB1770.namprd16.prod.outlook.com (10.174.178.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.20; Tue, 1 Oct 2019 07:43:41 +0000
Received: from DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::e820:4730:9c:32ad]) by DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::e820:4730:9c:32ad%8]) with mapi id 15.20.2305.017; Tue, 1 Oct 2019 07:43:41 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "Panwei (William)" <william.panwei@huawei.com>
CC: "dots@ietf.org" <dots@ietf.org>
Thread-Topic: New Version Notification for draft-reddy-dots-telemetry-02.txt
Thread-Index: AQHVaSPwGU+amr0TH0y3YjWht+oT8acndpvQgBwlkqCAAGSocA==
Date: Tue, 1 Oct 2019 07:43:40 +0000
Message-ID: <DM5PR16MB17058F267A95C8603218139DEA9D0@DM5PR16MB1705.namprd16.prod.outlook.com>
References: <156826250811.13202.11257195174976096554.idtracker@ietfa.amsl.com> <CAFpG3gdKUqudfwn3brAjN0Cv7qhx7JSV-iXkv09E+3dVei0p1A@mail.gmail.com> <DM5PR16MB17055529AD5F77293A2740ABEAB00@DM5PR16MB1705.namprd16.prod.outlook.com> <30E95A901DB42F44BA42D69DB20DFA6A6DF6FE55@nkgeml513-mbx.china.huawei.com>
In-Reply-To: <30E95A901DB42F44BA42D69DB20DFA6A6DF6FE55@nkgeml513-mbx.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.3.0.17
dlp-reaction: no-action
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 98b63fc9-ef3a-4fc2-a655-08d74643141f
x-ms-traffictypediagnostic: DM5PR16MB1770:
x-ms-exchange-purlcount: 9
x-microsoft-antispam-prvs: <DM5PR16MB177089BA0993C45BDF722BB6EA9D0@DM5PR16MB1770.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:2089;
x-forefront-prvs: 0177904E6B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(136003)(39860400002)(396003)(346002)(376002)(51914003)(22974007)(32952001)(199004)(189003)(256004)(6116002)(80792005)(11346002)(81166006)(9686003)(6306002)(54896002)(55016002)(99286004)(790700001)(33656002)(6436002)(236005)(476003)(486006)(446003)(3846002)(81156014)(2906002)(14454004)(2420400007)(15650500001)(966005)(25786009)(7696005)(6506007)(5660300002)(76176011)(6916009)(316002)(52536014)(8936002)(53546011)(74316002)(66066001)(478600001)(8676002)(102836004)(66574012)(606006)(9326002)(229853002)(7736002)(71200400001)(186003)(86362001)(64756008)(66556008)(66946007)(4326008)(66446008)(14444005)(76116006)(6246003)(71190400001)(66476007)(7110500001)(5024004)(26005)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR16MB1770; H:DM5PR16MB1705.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4C9KxAKNXeQwBUR9oec0slN6DasZAzbQxKBJKqyOSxF/6fhjXP1rmRIWENIZqrgFpwWqbV/Wnj+g4t9w6AEPFu/sBvPz/2Y0/Z2NfQ8yUHLJT26XLSxwksT7FXqZjNY7SM9DRWqlJiLYS+NX+c8qE3yrukkUPX0Rc7hcsJN7ZDEWn2zMOjmExq9BWKmqXIJnQtwv65854PWdy8WtEkXp283xgw0bbZ3BBlpn3kIGPF5P8EO5UlPYoZxzWnLBxfGKH5RS+a9C4FLvkgK4EQg9eOydfqllhqtOR9FBQ6cbBVFWjPAsFyMuVEf0tMh6v/9SST62mK829BGTTGiD42oIJSRdIskllL4n6YbhsSnzI1E3CiTmZ8gcd0drJbh2RA3UxD7rU/DYZkPjCpahna3+nFnHZp1hiyuHCHIdDN9EJ6vUgJ7VBNNRRLXeDiNG8TSGCtqI8qPVMBabkVj3EvBFWw==
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 98b63fc9-ef3a-4fc2-a655-08d74643141f
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Oct 2019 07:43:40.9066 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 52q+1/p+jWXpjYeX0aa8ai97Vngmi/G9JBAO8qNt3eur4H34MMAvN3OFICjD0WNP1nWMMYKO6v/4wCcuTO22mmI30maao+XT2QQJu/DgLvwVdx5WzuSxcyD8iL/+j/nq
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB1770
X-MC-Unique: Aoi7iiyJPDSoumfYeYuchg-1
X-Mimecast-Spam-Score: 0
Content-Type: multipart/alternative; boundary="_000_DM5PR16MB17058F267A95C8603218139DEA9D0DM5PR16MB1705namp_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/RYVQkjYUnIYHIbWdwb3jaqQRvFg>
Subject: Re: [Dots] New Version Notification for draft-reddy-dots-telemetry-02.txt
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Oct 2019 07:44:03 -0000

Hi Wei,

Thanks for the detailed review. Please see inline

From: Panwei (William) <william.panwei@huawei.com<mailto:william.panwei@huawei.com>>
Sent: Monday, September 30, 2019 8:04 AM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com<mailto:TirumaleswarReddy_Konda@McAfee.com>>
Cc: dots@ietf.org<mailto:dots@ietf.org>
Subject: RE: New Version Notification for draft-reddy-dots-telemetry-02.txt


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

________________________________
Hi Tiru,

I’ve read the new version, and I have some thoughts, please see below.

In Section 2, at the end of the definition of ‘DOTS Telemetry’, it says ‘The DOTS Telemetry is an optional set of attributes that can be signaled in the DOTS signal channel protocol’, I think DOTS data channel protocol is also a suitable candidate for conveying DOTS Telemetry in some cases. For example, you can use DOTS data channel to convey the “normal traffic baseline” information during peace time. And if there is an out-of-band link between DOTS agents, you can use DOTS data channel without problems like packet loss.

[TR] We would want to avoid two protocols to convey the same telemetry details. DOTS signal channel can used to signal the telemetry both during peace and attack times. The pre-mitigation telemetry attributes can be sent in a Confirmable CoAP request for reliable transmission.

About the “normal traffic baseline”, in Section 3, it describes learning the normal behavior by using the machine learning approaches and distinguishing the anomaly behavior deviated from the normal behavior. I assume the normal traffic pattern needs many characteristics to be profiled so that machine learning techniques are needed, but for now in the draft, the normal traffic baseline attributes are only 10%/50%/90% percentile and peak value of the whole traffic to the target, are those values enough for the anomaly detection?

[TR] Yes, these values provide normal baseline the mitigator needs to achieve during the attack mitigation.

Does the traffic baseline need to be categorized by protocol type?

[TR] Yes, will update draft.

Does some other attributes are needed, like the average and variance of the packet length?

Percentile is better than average, see https://www.elastic.co/blog/averages-can-dangerous-use-percentile and https://www.dynatrace.com/news/blog/why-averages-suck-and-percentiles-are-great/

I think conveying normal baseline from the DOTS client to the DOTS server is used for the case that the DOTS server can proactively detect the attack in case it fails receiving the Mitigation Request. That is, when the DOTS server fails to receive the Mitigation Request sent by the DOTS client because the link is saturated by the attack traffic, but the DOTS server can still detect the attack by using this normal traffic baseline information sent by the
DOTS client during peace time. Based on this purpose, I think sending the alarm threshold is also a reasonable and optional way to achieve this purpose, and it can be more direct for using. The DOTS client can continuously and automatically calculate the alarm threshold by using the machine learning techniques, then it can send this alarm threshold to the DOTS server periodically or after the threshold changes. When the attack occurs and the DOTS server fails receiving the Mitigation Request, it can still recognize the attack if the traffic to the target exceeds the threshold for a period of time. The alarm threshold also can be protocol specific, so that it can be more accurate.

[TR] I don’t get the above comment, DOTS server will propagate the DOTS telemetry to the DDoS mitigator, and the mitigator can use telemetry to tune the mitigation resources and mitigation strategy.

About the ‘Total Attack Traffic’ and ‘Total Traffic’, for now the draft requires them to be statistical attributes. I think the statistical values are fine but shouldn’t be mandatory. For the case that the DOTS client immediately sends the Mitigation Request and the Pre-mitigation Telemetry together to the DOTS server once it realizes an attack has occurred, it can send the instantaneous ‘Total Attack Traffic’ and ‘Total Traffic’ without waiting some time to do the statistics. So I suggest making the statistical values and current values all available and optional, to let different DOTS clients choose what to send.

[TR] All the percentile values are optional. The DDoS attack typically evolves over time, signaling only the current value of attack traffic looks less useful to derive any meaningful hint on the nature of the attack to the attacker. If statistical data is not available, the current value becomes the peak value.

Section 4.1.5, Total Connections Characteristics, is designed for the resource-based DDoS attacks. But compared to the volume-based DDoS attacks, I think some other kinds of attribute are also needed.

[TR] Please suggest the other attributes.

The DOTS Telemetry attributes used for volume-based DDoS attacks can be categorized for 3 types: 1) The normal baseline (or the alarm threshold), which now is Section 4.1.1; 2) The capability information, which now is Section 4.1.2; 3) The current situation, which now is Section 4.1.3 and 4.1.4. But for the resource-based attacks, the ‘Total Connections Characteristics’ is just the capability information, I think the baseline information and the current situation can also be defined.

[TR] 4.1.2 is the total pipe capacity, which is the level of traffic the DOTS client domain can absorb from the upstream network. Resource-based DDoS attacks do not have any equivalent to pipe capacity. I think percentile values will be more useful than the current value for representing the attack characteristics, will update the draft.

For the attributes now in the ‘Total Connections Characteristics’, I think the ‘per client’ attributes should also support protocol specific, this support can be optional for the DOTS clients.

[TR] Agreed, updated draft.

Besides, what are the ‘partial requests’?

[TR] It means incomplete requests, see https://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris/

Cheers,
-Tiru

Regards & Thanks!
潘伟 Wei Pan
华为技术有限公司 Huawei Technologies Co., Ltd.

From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Konda, Tirumaleswar Reddy
Sent: Thursday, September 12, 2019 12:55 PM
To: dots@ietf.org<mailto:dots@ietf.org>
Subject: [Dots] FW: New Version Notification for draft-reddy-dots-telemetry-02.txt

This revision https://tools.ietf.org/html/draft-reddy-dots-telemetry-02 addresses comments from Kaname, Jon, Wei Pan and Yuuhei Hayashi.

Major changes are listed below:

a.  Added path-suffix ‘telemetry’ to from the URI to signal DOTS telemetry
b.  Added attributes useful to detect resource-based DDoS attacks
c.  Attack details can be signaled from the DOTS client to server and vice-versa.
d.  Added several new attributes for attack details including top talkers.


Comments and suggestions are welcome.



-Tiru

---------- Forwarded message ---------
From: <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>
Date: Thu, 12 Sep 2019 at 09:58
Subject: New Version Notification for draft-reddy-dots-telemetry-02.txt
To: Tirumaleswar Reddy <kondtir@gmail.com<mailto:kondtir@gmail.com>>, Ehud Doron <ehudd@radware.com<mailto:ehudd@radware.com>>, Mohamed Boucadair <mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>>



A new version of I-D, draft-reddy-dots-telemetry-02.txt
has been successfully submitted by Tirumaleswar Reddy and posted to the
IETF repository.

Name:           draft-reddy-dots-telemetry
Revision:       02
Title:          Distributed Denial-of-Service Open Threat Signaling (DOTS) Telemetry
Document date:  2019-09-12
Group:          Individual Submission
Pages:          16
URL:            https://www.ietf.org/internet-drafts/draft-reddy-dots-telemetry-02.txt
Status:         https://datatracker.ietf.org/doc/draft-reddy-dots-telemetry/
Htmlized:       https://tools.ietf.org/html/draft-reddy-dots-telemetry-02
Htmlized:       https://datatracker.ietf.org/doc/html/draft-reddy-dots-telemetry
Diff:           https://www.ietf.org/rfcdiff?url2=draft-reddy-dots-telemetry-02

Abstract:
   This document aims to enrich DOTS signal channel protocol with
   various telemetry attributes allowing optimal DDoS attack mitigation.
   This document specifies the normal traffic baseline and attack
   traffic telemetry attributes a DOTS client can convey to its DOTS
   server in the mitigation request, the mitigation status telemetry
   attributes a DOTS server can communicate to a DOTS client, and the
   mitigation efficacy telemetry attributes a DOTS client can
   communicate to a DOTS server.  The telemetry attributes can assist
   the mitigator to choose the DDoS mitigation techniques and perform
   optimal DDoS attack mitigation.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org>.

The IETF Secretariat