IETF Logo Mail Archive

Re: [Dots] (draft-ietf-dots-signal-filter-control) ACL Stats issue

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Mon, 29 April 2019 12:59 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4BBD1200F8 for <dots@ietfa.amsl.com>; Mon, 29 Apr 2019 05:59:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nIznbbjqG_3K for <dots@ietfa.amsl.com>; Mon, 29 Apr 2019 05:59:12 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 934391202D9 for <dots@ietf.org>; Mon, 29 Apr 2019 05:59:12 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1556542370; h=From: To:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-ms-exchange-purlcount:x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-ms-exchange-senderadcheck: x-microsoft-antispam-message-info:Content-Type: Content-Transfer-Encoding:MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=mWaTCn5qWZUe0Usg5b/FA6qfP/bjF9b/x1bxKo wkKP0=; b=oFzjUb6VAKdP41P0BHUWWXp8DoArzC78UwdVaTvS NGgNYU/t0o4ZnqZa5SwyTfja+y3KhMx2a3cdZU8GQvPjiagEQM Li/f1YeYZBzA32ZuPCNpipTu8tLHkfLjbD3iXDvAU8xVvgG/u6 74gRb5bvMTQVOzGfiBkg56/vrqVFsZY=
Received: from DNVEXAPP1N06.corpzone.internalzone.com (DNVEXAPP1N06.corpzone.internalzone.com [10.44.48.90]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 4ac7_f9e5_1a6221ce_7d7a_440e_9ce6_e4fcbf0e9739; Mon, 29 Apr 2019 06:52:50 -0600
Received: from DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 29 Apr 2019 06:58:43 -0600
Received: from DNVO365EDGE2.corpzone.internalzone.com (10.44.176.74) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Mon, 29 Apr 2019 06:58:43 -0600
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (10.44.176.240) by edge.mcafee.com (10.44.176.74) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 29 Apr 2019 06:58:42 -0600
Received: from BYAPR16MB2790.namprd16.prod.outlook.com (20.178.233.91) by BYAPR16MB2502.namprd16.prod.outlook.com (20.177.224.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1835.15; Mon, 29 Apr 2019 12:58:40 +0000
Received: from BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::4873:7200:9e57:9e62]) by BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::4873:7200:9e57:9e62%5]) with mapi id 15.20.1835.018; Mon, 29 Apr 2019 12:58:40 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, Jon Shallow <supjps-ietf@jpshallow.com>, kaname nishizuka <kaname@nttv6.jp>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] (draft-ietf-dots-signal-filter-control) ACL Stats issue
Thread-Index: AdT6ZmI8uG0f606MQBW+/9uvcTWn6QA3ueOAAAD5v4AAAuISAAACLWCwAASh2bAAAFNQMAAALZggAB/gx7AADZnDQAAB9k5gAAGY4eAAh04/QAAA/5ngAAUJIHAAADrVQAAAy9qAAADPe0AAAl2uEAADFwxAAACGwAAAABxFcA==
Date: Mon, 29 Apr 2019 12:58:40 +0000
Message-ID: <BYAPR16MB2790A37C1A6980D996B92B6CEA390@BYAPR16MB2790.namprd16.prod.outlook.com>
References: <787AE7BB302AE849A7480A190F8B93302EA649B4@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <c3c9614f-908a-c132-cd35-6c627e341f2b@nttv6.jp> <012601d4fb49$3328c000$997a4000$@jpshallow.com> <BYAPR16MB279020119E24ADCB54B339E3EA3D0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA6591A@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB27903D8D208FA3AC951FDEE4EA3D0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA65AD6@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB279013E8029BE0294293A333EA3D0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA6623D@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790146175B845622B2EF438EA3E0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA6649C@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB27909F467FFE57F380015E94EA3E0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA66FEC@OPEXCAUBMA2.corporate.adroo t.infra.ftgroup> <BYAPR16MB279071FE429E252221521470EA390@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA67156@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790D9396449CF75422C010CEA390@BYAPR16MB2790.namprd16.prod.outlook.com> <03f901d4fe6f$98f00a00$cad01e00$@jpshallow.com> <BYAPR16MB2790B418CFE55D99C282FA71EA390@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA6725D@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790D07ADECEBA6DAD156B5CEA390@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA6736E@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EA6736E@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [185.221.69.46]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d97543ce-4616-478c-b1be-08d6cca2673c
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:BYAPR16MB2502;
x-ms-traffictypediagnostic: BYAPR16MB2502:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <BYAPR16MB25020AFCFF1F7DA03C030D1AEA390@BYAPR16MB2502.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0022134A87
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(39860400002)(376002)(346002)(396003)(136003)(189003)(13464003)(199004)(32952001)(52536014)(6436002)(66446008)(76176011)(5024004)(14444005)(256004)(66556008)(64756008)(2906002)(74316002)(478600001)(72206003)(80792005)(97736004)(33656002)(305945005)(7736002)(6246003)(55016002)(6306002)(5660300002)(9686003)(53936002)(8676002)(76116006)(81166006)(81156014)(7696005)(110136005)(229853002)(316002)(71200400001)(66476007)(3846002)(6116002)(25786009)(73956011)(8936002)(71190400001)(14454004)(476003)(2501003)(68736007)(99286004)(486006)(186003)(6506007)(26005)(53546011)(102836004)(66066001)(966005)(30864003)(86362001)(93886005)(446003)(66946007)(11346002)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR16MB2502; H:BYAPR16MB2790.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: N0ZyFLbTRU3Vn0Dewe52wi+540rrncVy5JWRhEDmvDkQPuyHhSPmgHh9HQmFH1cIhejMOjNCu29dKC34loA5vQge52Pv7oKvs4qzMuwCjLxB7VFsOymiNmDigp+COYFvQKNmzHCM8QsnOpbEcQWLFLY+LCwj1JjpEBlAMzzfh56gOUxZZHEXuJtHwpzKffa9L7Wy+E6dOOs5PhM06IvyVUZKMdrxAdI313iUaxkke8ZP/3xdN/yerX+HM9uQoX+RQbEg9PGZbjN19Nyk4V2zj1XStwhU6Cjhq3A/dmDlaV/wVtLVmO12Tbtc5jq8/TGMJw9+du27cYxCYwPyJzryxX1lfOn+IyjlUW4ykJo3xxhGGaxUlyck5+AvPhjiODbBDJ7pC8h8qQvwGlUOGOMloTPwYxsz/PWeBEfH+q9G6A0=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: d97543ce-4616-478c-b1be-08d6cca2673c
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Apr 2019 12:58:40.7162 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR16MB2502
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.6
X-NAI-Spam-Version: 2.3.0.9418 : core <6534> : inlines <7062> : streams <1820068> : uri <2838483>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/YgE0D5q9j-PxYn5RT76DVatb--8>
Subject: Re: [Dots] (draft-ietf-dots-signal-filter-control) ACL Stats issue
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Apr 2019 12:59:16 -0000

> -----Original Message-----
> From: mohamed.boucadair@orange.com
> <mohamed.boucadair@orange.com>
> Sent: Monday, April 29, 2019 6:27 PM
> To: Konda, Tirumaleswar Reddy
> <TirumaleswarReddy_Konda@McAfee.com>; Jon Shallow <supjps-
> ietf@jpshallow.com>; kaname nishizuka <kaname@nttv6.jp>; dots@ietf.org
> Subject: RE: [Dots] (draft-ietf-dots-signal-filter-control) ACL Stats issue
> 
> This email originated from outside of the organization. Do not click links or
> open attachments unless you recognize the sender and know the content is
> safe.
> 
> Tiru,
> 
> Looks like a candidate item in a separate DOTS telemetry specification I-D,
> rather than restricting it to the filter control case.
> 
> Hope this is OK with you.

Yes, works for me.

-Tiru

> 
> Cheers,
> Med
> 
> > -----Message d'origine-----
> > De : Konda, Tirumaleswar Reddy
> > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > Envoyé : lundi 29 avril 2019 14:47
> > À : BOUCADAIR Mohamed TGI/OLN; Jon Shallow; kaname nishizuka;
> > dots@ietf.org Objet : RE: [Dots]
> > (draft-ietf-dots-signal-filter-control) ACL Stats issue
> >
> > > -----Original Message-----
> > > From: mohamed.boucadair@orange.com
> > > <mohamed.boucadair@orange.com>
> > > Sent: Monday, April 29, 2019 5:05 PM
> > > To: Konda, Tirumaleswar Reddy
> > > <TirumaleswarReddy_Konda@McAfee.com>; Jon Shallow <supjps-
> > > ietf@jpshallow.com>; kaname nishizuka <kaname@nttv6.jp>;
> > > dots@ietf.org
> > > Subject: RE: [Dots] (draft-ietf-dots-signal-filter-control) ACL
> > > Stats issue
> > >
> > > This email originated from outside of the organization. Do not click
> > > links
> > or
> > > open attachments unless you recognize the sender and know the
> > > content is safe.
> > >
> > > Tiru,
> > >
> > > I agree that we are approaching the problem with two different use cases:
> > >
> > > (1) a client domain with is basically "consuming" services. I do
> > > still
> > think this
> > > use case does not need to learn about the ACL stats.
> >
> > Yes.
> >
> > >
> > > (2) your case in which the client domain is "providing" services: I
> > > still
> > think
> > > that the impact on business can be determined also using local
> > > information (known patterns + rate-limit policy applied by the
> > > client). If the goal is
> > to
> > > decide whether/when an alternate mitigator is to be solicited, this
> > > can deterministically rely upon "status" set to 4 (Attack has
> > > exceeded the mitigation provider capacity) or deactivate back the
> > > rate-limit ACL + local observation. Please remember that local
> > > observation is needed for efficacy update.
> >
> > "Attack has exceeded" status message does not convey the details the
> > traffic rate-limited, and the client needs to understand the attack
> > scale to figure out suitable alternate mitigation provider.  It is a
> > critical DOTS telemetry that needs to be conveyed in the signal
> > channel and cannot be propagated in the data channel during an massive
> attack.
> >
> > Cheers,
> > -Tiru
> >
> > >
> > > Cheers,
> > > Med
> > >
> > > > -----Message d'origine-----
> > > > De : Konda, Tirumaleswar Reddy
> > > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > > Envoyé : lundi 29 avril 2019 12:18 À : Jon Shallow; BOUCADAIR
> > > > Mohamed TGI/OLN; kaname nishizuka; dots@ietf.org Objet : RE:
> > > > [Dots]
> > > > (draft-ietf-dots-signal-filter-control) ACL Stats issue
> > > >
> > > > > -----Original Message-----
> > > > > From: Jon Shallow <supjps-ietf@jpshallow.com>
> > > > > Sent: Monday, April 29, 2019 3:11 PM
> > > > > To: Konda, Tirumaleswar Reddy
> > > > > <TirumaleswarReddy_Konda@McAfee.com>;
> > > > > mohamed.boucadair@orange.com; kaname nishizuka
> > > <kaname@nttv6.jp>;
> > > > > dots@ietf.org
> > > > > Subject: RE: [Dots] (draft-ietf-dots-signal-filter-control) ACL
> > > > > Stats issue
> > > > >
> > > > > This email originated from outside of the organization. Do not
> > > > > click links
> > > > or
> > > > > open attachments unless you recognize the sender and know the
> > > > > content is safe.
> > > > >
> > > > > Hi,
> > > > >
> > > > > See inline,
> > > > >
> > > > > Regards
> > > > >
> > > > > Jon
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Konda,
> > > > > > Tirumaleswar Reddy
> > > > > > Sent: 29 April 2019 10:22
> > > > > > To: mohamed.boucadair@orange.com; Jon Shallow; 'kaname
> > > > > > nishizuka'; dots@ietf.org
> > > > > > Subject: Re: [Dots] (draft-ietf-dots-signal-filter-control)
> > > > > > ACL Stats issue
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: mohamed.boucadair@orange.com
> > > > > > <mohamed.boucadair@orange.com>
> > > > > > > Sent: Monday, April 29, 2019 2:46 PM
> > > > > > > To: Konda, Tirumaleswar Reddy
> > > > > > <TirumaleswarReddy_Konda@McAfee.com>;
> > > > > > > Jon Shallow <supjps-ietf@jpshallow.com>; 'kaname nishizuka'
> > > > > > > <kaname@nttv6.jp>; dots@ietf.org
> > > > > > > Subject: RE: [Dots] (draft-ietf-dots-signal-filter-control)
> > > > > > > ACL Stats issue
> > > > > > >
> > > > > > > This email originated from outside of the organization. Do
> > > > > > > not click links or
> > > > > > open
> > > > > > > attachments unless you recognize the sender and know the
> > > > > > > content is
> > > > > safe.
> > > > > > >
> > > > > > > (Focusing on this particular point).
> > > > > > >
> > > > > > >
> > > > > > > > -----Message d'origine----- De : Konda, Tirumaleswar Reddy
> > > > > > > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > > > > > > Envoyé : lundi 29 avril 2019 10:52 À : BOUCADAIR Mohamed
> > > > > > > > TGI/OLN; Jon Shallow; 'kaname nishizuka'; dots@ietf.org
> > > > > > > > Objet
> > > > > > > > : RE: [Dots]
> > > > > > > > (draft-ietf-dots-signal-filter-control) ACL Stats issue
> > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >  ACL-specific stats and mitigation stats will give a
> > > > > > > > > > > clear
> > > > > > > > > > > > picture of the traffic rate-limited, bad traffic
> > > > > > > > > > > > dropped by the DDoS mitigation system, and using
> > > > > > > > > > > > these stats the DOTS client can heuristically
> > > > > > > > > > > > determine the amount of legitimate traffic dropped
> > > > > > > > > > > > because of rate-limit and the impact of the attack
> > > > > > on its
> > > > > > > service.
> > > > > > > > > > >
> > > > > > > > > > > [Med] The impact can be observed locally (e.g., bad
> > > > > > > > > > > QoS, inability to
> > > > > > > > > > access a
> > > > > > > > > > > service, instable connectivity, etc.). I still don’t
> > > > > > > > > > > see how sharing the
> > > > > > > > > > ACL stats
> > > > > > > > > > > will be helpful here.
> > > > > > > > > > >
> > > > > > > > > > > A DOTS client can preinstall the same rate-limit
> > > > > > > > > > > filter with but with
> > > > > > > > > > different
> > > > > > > > > > > policies. It can select the appropriate ACL to
> > > > > > > > > > > activate/deactivate based on local experience.
> > > > > > > > > >
> > > > > > > > > > I don't get how the local experience will help the
> > > > > > > > > > client pick an alternate mitigation provider who can
> > > > > > > > > > handle the
> > attack
> > > scale.
> > > > > > > > >
> > > > > > > > > [Med] Modern CPEs include automated features to assess
> > > > > > > > > the availability of services such as VoIP, IPTV, etc.
> > > > > > > > > The DOTS client can be fed with input
> > > > > > > > from
> > > > > > > > > these modules and react accordingly.
> > > > > > >
> > > > > > > [Med] s/client/server.
> > > > >
> > > > > Is this correct?
> > > > >
> > > > > > >
> > > > > > > >
> > > > > > > > I meant the target network cannot infer the amount of
> > > > > > > > legitimate traffic (or infer the number of users) unable
> > > > > > > > to use its service because of the rate- limit action.
> > > > > > > >
> > > > > > >
> > > > > > > [Med] The amount of traffic is not required to assess the
> > > > > > > availability of "nominal" services (the example above). What
> > > > > > > is really important is
> > > > > > whether
> > > > > > > some critical services are available. That information can
> > > > > > > be determined
> > > > > > without
> > > > > > > needing the ACL stats.
> > > > > >
> > > > > > I am not referring to "nominal" services or critical resources.
> > > > > > For instance, consider Netflix is not accessible to a large
> > > > > > number of users because of the rate-limit action.
> > > > >
> > > > > The DOTS server will have a limited (only because they have to
> > > > > be
> > > > previously
> > > > > defined) set of (possibly inactivated) ACLS on the server.  If
> > > > > the
> > > > "standard"
> > > > > white/black list are unable to bring the inbound pipe back to
> > > > > not being flooded, then a (likely global for the DOTS client's
> > > > > networks) Rate-Limit
> > > > ACL
> > > > > must be brought in.  Once the Inbound pipe is available, then
> > > > > analysis of
> > > > the
> > > > > data reaching the DOTs client will show the top users which then
> > > > > need their own limiting (black or rate-limit) ACL set up over
> > > > > the data channel.  At
> > > > this
> > > > > point the Rate-Limit ACL can removed to see if things are stable again.
> > > > > [I agree that the CPE may not have this top usage capability]
> > > > >
> > > > > If Netflix (or similar) has a priority when under attack, then
> > > > > this needs
> > > > to be
> > > > > added into a White ACL which can be done once the inbound pipe
> > > > > is not flooded (or be a part of the standard white lists)
> > > >
> > > > I think we are discussing two different use cases. My attack use
> > > > case is Netflix content provider is under volumetric DDoS attack,
> > > > and if the rate- limit ACL is configured using the DOTS signal
> > > > channel because the DDoS mitigation provider cannot handle all the
> > > > attack traffic. The rate-limit ACL stats will help Netflix
> > > > understand the scale of the attack, impact on the current business
> > > > because of the rate-limit action (e.g. based on the amount of
> > > > traffic dropped by DMS, infer the amount of good traffic dropped
> > > > by the rate-limit ACL action, and infer the number of users who
> > > > cannot access its service), and if the attack lasts for  several
> > > > days/weeks help identify an alternate mitigation provider capable
> > > > of handling the attack (e.g. Krebs was initially using Akamai and
> > > > eventually got protected by Google to handle
> > the
> > > massive attack).
> > > >
> > > > Cheers,
> > > > -Tiru
> > > >
> > > > >
> > > > > ~jon
> > > > >
> > > > > >
> > > > > > -Tiru
> > > > > >
> > > > > > _______________________________________________
> > > > > > Dots mailing list
> > > > > > Dots@ietf.org
> > > > > > https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email