Re: [Dots] Target-Attack-type expansion: more discussion

"MeiLing Chen" <chenmeiling@chinamobile.com> Mon, 06 May 2019 08:56 UTC

Return-Path: <chenmeiling@chinamobile.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6590712011D for <dots@ietfa.amsl.com>; Mon, 6 May 2019 01:56:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.589
X-Spam-Level:
X-Spam-Status: No, score=-2.589 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GsoARrUq9E_0 for <dots@ietfa.amsl.com>; Mon, 6 May 2019 01:56:53 -0700 (PDT)
Received: from cmccmta2.chinamobile.com (cmccmta2.chinamobile.com [221.176.66.80]) by ietfa.amsl.com (Postfix) with ESMTP id DAB9612006F for <dots@ietf.org>; Mon, 6 May 2019 01:56:52 -0700 (PDT)
Received: from spf.mail.chinamobile.com (unknown[172.16.121.7]) by rmmx-syy-dmz-app05-12005 (RichMail) with SMTP id 2ee55ccff6d2d39-eda29; Mon, 06 May 2019 16:56:50 +0800 (CST)
X-RM-TRANSID: 2ee55ccff6d2d39-eda29
X-RM-TagInfo: emlType=0
X-RM-SPAM-FLAG: 00000000
Received: from cmcc-PC (unknown[10.2.51.72]) by rmsmtp-syy-appsvr04-12004 (RichMail) with SMTP id 2ee45ccff6d1f7e-4c6d9; Mon, 06 May 2019 16:56:50 +0800 (CST)
X-RM-TRANSID: 2ee45ccff6d1f7e-4c6d9
Date: Mon, 6 May 2019 16:56:50 +0800
From: "MeiLing Chen" <chenmeiling@chinamobile.com>
To: =?utf-8?B?VMO2bWEgR2F2cmljaGVua292?= <ximaera@gmail.com>
Cc: dots <dots@ietf.org>
References: <2afa5c9df0626fd-00007.Richmail.00004070460264152429@chinamobile.com>, <CALZ3u+YTx2b=QMTM_UzgX254cgcgAWYxnwA=-VwHhD03ygragw@mail.gmail.com>
X-Priority: 3
X-Has-Attach: no
X-Mailer: Foxmail 7.2.9.115[cn]
Mime-Version: 1.0
Message-ID: <2019050616564984104217@chinamobile.com>
Content-Type: multipart/alternative; boundary="----=_001_NextPart783625650557_=----"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/dnLuFpxuVXkPTNdB2_-1o48y_FQ>
Subject: Re: [Dots] Target-Attack-type expansion: more discussion
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 May 2019 08:56:57 -0000

Hi Töma,
Please see inline,
>Peace,
 
>On Fri, Mar 29, 2019 at 12:15 PM 陈美玲 <chenmeiling@chinamobile.com> wrote:
>> I'd like to continue discussion of these topics in the mail
 
>For clarification, the quotations below that line are from the draft
>[1], not from the mailing list thread.
 
 
>> Therefore, it is necessary to unify the attack definition,
>> form a standard attack definition
 
>I do not anticipate that happening in the foreseeable future. Mainly,
>because of the differences between traffic classifying and filtering
>engines. Also, because the state of scientific research on the problem
>space is quite poor.
 
>> we give out a complete format for DDoS attacks as below
 
>From the text and also from the slides [2] it is not clear what
>exactly you list under "protocol level".
>It appears like something very close to the OSI layering, however,
[MeiLing] YES, that's mean the layer, I will modify it in the next version.

>a) in this case the proper word would be "layer", not "level",
>b) the attribution seems quite arbitrary.
[MeiLing]We tried a variety of classification methods, and if need to cover all the attack types, this attribute has to be an arbitary parameter. 

>E.g. ICMP flood is coupled with "Network_Layer" while it could also
>affect the data link layer if e.g. there's no "no arp packet-priority
>enable" on an interface in a Cisco switched network.
>The same with memcached reflection which could cause an effect on the
>layer 2 through 4 performance of a network (and I'd even go as far as
>to say that L4 being affected is the least likely case).
[MeiLing]the "protocol layer" Not mean the affected layer, but at the exploited protocol layer. 
***
 
>All in all, as I tried to point out during the session, I've
>personally seen a similar problem of conversion between different item
>classification methods being solved before in 3GPP world, where e.g.
>HP OpenView and Huawei M2000/J2000 had almost entirely different
>concepts of event type, status, and severity, yet communicated just
>fine through software-defined mapping tables provided by the
>respective vendors. Sometimes, it's best to follow that path, and a
>good thing is: you don't need a years-long IETF process for that to go
>live.
[MeiLing]that's really true, It is precisely because of the lack of uniform classification criteria that different classification names emerge.
use mapping tables are temporary solutions, However, it is still necessary to unify the types of classified attacks.

>References:
>[1]: https://tools.ietf.org/html/draft-meiling-dots-attack-type-expansion-00
>[2]: https://datatracker.ietf.org/meeting/104/materials/slides-104-dots-attack-bandwidth-and-attack-type-expansion-01
 
--
Töma