Re: [Dots] Target-Attack-type expansion: more discussion

Töma Gavrichenkov <> Mon, 06 May 2019 09:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 81B9D120105 for <>; Mon, 6 May 2019 02:19:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IO-92AdQ1T2v for <>; Mon, 6 May 2019 02:19:07 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::c2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 331F1120077 for <>; Mon, 6 May 2019 02:19:07 -0700 (PDT)
Received: by with SMTP id o65so8041895ywd.8 for <>; Mon, 06 May 2019 02:19:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=oaI3gKkqv/XSBK/0C0sTVFt53QdDiGDik9YROvXFzN4=; b=o2fQX143PhzS4sldglqxAZcvNoNHdlV/tkBB4RT6lEOZEDjBJ0l2d9UrDQQ92IFaKl jdldM9fh4bWGhzJOigOk+2jp49c6OTkf4+EebCf2OdXCMRugfel3IirnhQ7G/4Eid83L bSBOtZZjfplwCboaZEE1B7Ff1sxFuU2p+szMKO0t5C034yi/9Sg4q/hPpdLBwBLaFjhc IEBOQ7KvCASqCv2MwkvJniw5P/u4HTvaogf/2D+AfTlUqFhFTfYvUwPwWiJhxgxXzhLD t4PpJClkPk0+mYYNwSYtsNVW0OB7CummOsFvGqouASXBLVmgj3iq7W/QDD4Fz/iyQ9cq aJ+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=oaI3gKkqv/XSBK/0C0sTVFt53QdDiGDik9YROvXFzN4=; b=lTz4qJCkGXRRUrGxEPcJtAtBaDs0B1RwgEgwHVw1t3/JXJFKAa1cgG0H2eKM7SGmBh blZYaI8peURX07lrn2XLtA12fLIR2URpYgHpzfq4sp/tsVob2xR4uMVItR3YaR4VK3da 8Uc2kpYp6AiiAdx2EE/jwXksnQRFHf+dsU93mllmQMEQWaBkX7unQ0ohA/viDhFhXM7F Nx2/Lju741U5elCCkMgHvAcqDpkLTUy/gTTZQKvdQ9PX6hW6aDK8jV0MhwB+6OOxnXAj dQmqVg502WwF5j4MI6dIBQLKTdojthbm7RNqa+AxkNBr7+qn3E72NRJ2kE5xduksCB5n QRWg==
X-Gm-Message-State: APjAAAWw0gGTZRCpSE2zrrRcj59V5pdYHnP5FJk54gBgxGumBqPhRRgi KIx/TRjR+rnx9XANDUldR4p0BN4k65jLb0rtSs3aOg==
X-Google-Smtp-Source: APXvYqzccRBV5BSMlG5eiUEZUTK4NHyFGJBj7SUdyNeYSteIdFVr/jSYZXmF3Wt8cs1aeErVju8vNTDwfbdzKgAyr30=
X-Received: by 2002:a81:351:: with SMTP id 78mr1994825ywd.323.1557134346123; Mon, 06 May 2019 02:19:06 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Töma Gavrichenkov <>
Date: Mon, 06 May 2019 12:18:54 +0300
Message-ID: <>
To: 陈美玲 <>
Cc: dots <>
Content-Type: multipart/alternative; boundary="000000000000917fa40588349779"
Archived-At: <>
Subject: Re: [Dots] Target-Attack-type expansion: more discussion
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 06 May 2019 09:19:08 -0000

On Mon, May 6, 2019, 11:57 AM MeiLing Chen <>

> Not mean the affected layer, but at the exploited protocol layer.
a) Then the Memcached reflection would be layer 7, as the Memcached ASCII
protocol belongs to the application layer;
b) Honestly, I don't see how the "exploited protocol layer" could be of
*any* use for mitigation.

it is still necessary to unify the types of classified attacks.
Not only it is operationally close to impossible in the foreseeable
future,  it it is also really of questionable use.  You would still need a
device on your network which would be responsible for handling "the rest"
of DDoS attacks: not falling under any known type, 0-day, etc.

IMO the best you could *possibly* achieve is the classification similar to
what anti-virus vendors provide ("Win32/Conficker.A"-style, you know), but
even then no one tries to handle different malware with multiple anti-virus
installations on the same machine.  This architecture wouldn't really fly.