IETF Logo Mail Archive

Re: [Dots] Signal / Data / Alias / Filter Implementation

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Thu, 03 August 2017 09:35 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76A55131D27 for <dots@ietfa.amsl.com>; Thu, 3 Aug 2017 02:35:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VFUc0wr21Png for <dots@ietfa.amsl.com>; Thu, 3 Aug 2017 02:35:09 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D21F1131D25 for <dots@ietf.org>; Thu, 3 Aug 2017 02:35:08 -0700 (PDT)
Received: from MIVEXAPP1N01.corpzone.internalzone.com (unknown [10.48.48.88]) by DNVWSMAILOUT1.mcafee.com with smtp id 0fd2_3578_467511d0_ee65_4d7c_bbc6_1c44d0a06d7c; Thu, 03 Aug 2017 04:35:06 -0500
Received: from MIVEXUSR1N02.corpzone.internalzone.com (10.48.48.82) by MIVEXAPP1N01.corpzone.internalzone.com (10.48.48.88) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Thu, 3 Aug 2017 05:35:05 -0400
Received: from MIVEXUSR1N01.corpzone.internalzone.com (10.48.48.81) by MIVEXUSR1N02.corpzone.internalzone.com (10.48.48.82) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Thu, 3 Aug 2017 05:35:04 -0400
Received: from MIVO365EDGE3.corpzone.internalzone.com (10.48.176.86) by MIVEXUSR1N01.corpzone.internalzone.com (10.48.48.81) with Microsoft SMTP Server (TLS) id 15.0.1263.5 via Frontend Transport; Thu, 3 Aug 2017 05:35:04 -0400
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (10.48.176.240) by edge.mcafee.com (10.48.176.86) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Thu, 3 Aug 2017 05:34:49 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.onmicrosoft.com; s=selector1-mcafee-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=yz2aYFw9PMEM+MdVhY8nXUV7/MxoolReTszDdMHbL4Q=; b=e9l5QxqD5GeSw218U02eBaFntIL/DpQ2w9wKjWfImjuaXxni19MkkqSJwnz9s5JJy72nVoikNcXavvEYqpyTyi/8FcX/FXvuqujiWcRSdKWHIZTN0epgzJqKzFyx/Dn8KoQ9fGv0fDa8qw7++gIELsboAqlFSO6fiv2EybKI16o=
Received: from DM5PR16MB1788.namprd16.prod.outlook.com (10.172.44.144) by DM5PR16MB1786.namprd16.prod.outlook.com (10.172.44.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1304.22; Thu, 3 Aug 2017 09:35:02 +0000
Received: from DM5PR16MB1788.namprd16.prod.outlook.com ([10.172.44.144]) by DM5PR16MB1788.namprd16.prod.outlook.com ([10.172.44.144]) with mapi id 15.01.1304.023; Thu, 3 Aug 2017 09:35:02 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Jon Shallow <supjps-ietf@jpshallow.com>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] Signal / Data / Alias / Filter Implementation
Thread-Index: AdMLd/i8iwFwzTfWQ/S7HayGj5igcAAtQcoAAADkzoAAAOO7QAAAuEkAAABl6xA=
Date: Thu, 03 Aug 2017 09:35:02 +0000
Message-ID: <DM5PR16MB178821B08674C1C6F2E0E2F3EAB10@DM5PR16MB1788.namprd16.prod.outlook.com>
References: <035401d30b77$fb3a1da0$f1ae58e0$@jpshallow.com> <DM5PR16MB1788C9F8E53F0F39A9B3AE70EAB10@DM5PR16MB1788.namprd16.prod.outlook.com> <042c01d30c30$93ad0670$bb071350$@jpshallow.com> <DM5PR16MB178860DB65938F50187AAC2AEAB10@DM5PR16MB1788.namprd16.prod.outlook.com> <044b01d30c37$034e3cf0$09eab6d0$@jpshallow.com>
In-Reply-To: <044b01d30c37$034e3cf0$09eab6d0$@jpshallow.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR16MB1786; 7:DQaIe5sPb0MqlXe4mvHD6Qde5b90aXac+SfV+ldaUyoP1A4AC5hzZjG5AAhNW3DOBZDr9O2xsClLKVxxaKgJ+xCxfscjo2/vr+ZHvrL3DMTr9iTBg1SkUMhb6NqcsAwIwBF0jhX2Y2rvFttBN6jULQoaYI0o9zsKt6lltM6nslpePYBUGYQ516bHKJKOtz8hASgMcuotDM0laVJTTXmlX04k8LZY4Td9+X1sSxINXkfPW21vbuKG4BbvLznzM17gH9RWTlgH+VUUAk29U9rc+u4FAgXG+GXxLUdcbw1uV9uc2JR6x//MVAHUo1SOaAiV8kYACkh3o82I6xPBnOaDLgRkoVC1FkSGUXVzOMMN8L9emeU+cWaAgj1vchclogEsZ9lBFjaNWhB5Hm2NS/8w3tLNOx3sIBDRWfjLUSKQs4AlpQFSZSrXWUSnlQxlU4i4eQFmmQIcXgf6PNZ54GK4oWy5r/nfxB+R459PuwZ9/b/yViRpKwjg0oCqE9z6OEKV0z6kX/bb67rUUy/0NVEvv7BuqIeV3PdGOhZAAasqTkkechg6i0WZfbWpH4U6QvSy0jEqmFxS7QLSgvjhBjbWwGCErRpOiwbDSrvPXfi59YpA3jVZciX57tKFKe6KpBVI9wl4KfJ+05MoERHWAPd6/QJm1Epoem21LVSe8ZdlLUbRs/UnCO71Wxqr+8G2B9rbRxVovtHvVpg/r1IdRTvv1HOPpKNyhBghbIQ0LWbnh6kbSbs4aqbkEvcBbt2EdbpndIul0xJouhtbYdwg6X3eDN5mYAWSVIz95tPqM+Voh6Y=
x-ms-office365-filtering-correlation-id: f10817d9-6d33-4d1e-3100-08d4da52ea9d
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:DM5PR16MB1786;
x-ms-traffictypediagnostic: DM5PR16MB1786:
x-exchange-antispam-report-test: UriScan:(158342451672863)(21748063052155);
x-microsoft-antispam-prvs: <DM5PR16MB178628C64770371779D57415EAB10@DM5PR16MB1786.namprd16.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(3002001)(100000703101)(100105400095)(10201501046)(93006095)(93001095)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123555025)(20161123558100)(20161123562025)(20161123564025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:DM5PR16MB1786; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:DM5PR16MB1786;
x-forefront-prvs: 03883BD916
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39450400003)(39840400002)(39400400002)(39410400002)(51444003)(32952001)(199003)(51914003)(377454003)(189002)(606006)(25786009)(6306002)(53546010)(7696004)(76176999)(50986999)(54356999)(97736004)(7736002)(3660700001)(189998001)(6116002)(102836003)(19609705001)(2900100001)(790700001)(77096006)(106356001)(105586002)(229853002)(80792005)(3846002)(6506006)(86362001)(54896002)(14454004)(66066001)(6246003)(38730400002)(9326002)(5660300001)(3280700002)(236005)(53936002)(2950100002)(966005)(6436002)(55016002)(2501003)(72206003)(478600001)(68736007)(8676002)(8936002)(2906002)(9686003)(74316002)(81156014)(99286003)(81166006)(101416001)(93886004)(33656002)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR16MB1786; H:DM5PR16MB1788.namprd16.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR16MB178821B08674C1C6F2E0E2F3EAB10DM5PR16MB1788namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Aug 2017 09:35:02.2707 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB1786
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6085> : inlines <6005> : uri <2475433>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/oBVKirZk5Mt9RlIe5BtWkMLS8ro>
Subject: Re: [Dots] Signal / Data / Alias / Filter Implementation
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2017 09:35:12 -0000

Hi Jon,

This draft was presented and discussed in the WG, but since DOTS telemetry is optional the feedback we got was to pursue this work later and there was no agreement in the WG on the common attributes of an DDoS attack and the protocol to convey this information (there were proposals to use DOTS signal channel, data channel and IPFIX).

-Tiru

From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Jon Shallow
Sent: Thursday, August 3, 2017 2:31 PM
To: dots@ietf.org
Subject: Re: [Dots] Signal / Data / Alias / Filter Implementation

Hi Tiru,

Thanks for the document pointer - a good read and reminds me of the initial work I did with Nik Teague on getting DOTS started.

However, it is still unclear to me how the "DOTS Telemetry" intelligence/hints can be conveyed over the signal and data channels using what is currently defined, unless it is all done over the data channel using ietf-dots-access-control-list.  My preferred option is that ietf-dots-signal is extended to cover the more common attributes of an DDoS Attack.

Regards

Jon

From: Dots [mailto: dots-bounces@ietf.org<mailto:dots-bounces@ietf.org>] On Behalf Of Konda, Tirumaleswar Reddy
Sent: 03 August 2017 09:44
To: Jon Shallow; dots@ietf.org<mailto:dots@ietf.org>
Subject: Re: [Dots] Signal / Data / Alias / Filter Implementation

Hi Jon,

We discussed various such hints including "attack details" in https://tools.ietf.org/html/draft-doron-dots-telemetry-00.

-Tiru

From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Jon Shallow
Sent: Thursday, August 3, 2017 1:45 PM
To: dots@ietf.org<mailto:dots@ietf.org>
Subject: Re: [Dots] Signal / Data / Alias / Filter Implementation

Hi Tiru,

I agree that it is highly likely that a DDoS Attack will mutate over its life time.  Reflections attacks (where the source port is constant - e.g. 53 or 123 udp) do not mutate so frequently in my experience and there is no way to signal for that type of to be stopped currently.  The DOTS client may continue to change its mitigation requests as the attacks evolve / mutate which is fine from my perspective.

I really want to move away from Vendor Specifics for the more common definitions so that there is a standard across all vendors - even if the parameters are optional and are just hints.

I am not trying to re-create FlowSpec here in the signal  parameters, but there (co-incidentally) is a large overlap.  FlowSpec does not support Uri, but I think that is a good thing in dots-signal-channel.

Regards

Jon

From: Dots [mailto: dots-bounces@ietf.org<mailto:dots-bounces@ietf.org>] On Behalf Of Konda, Tirumaleswar Reddy
Sent: 03 August 2017 08:58
To: Jon Shallow; dots@ietf.org<mailto:dots@ietf.org>
Subject: Re: [Dots] Signal / Data / Alias / Filter Implementation

The source IP addresses and source ports used by the DDoS attacker could change, the type of attack itself could evolve or change from one attack type to another.
It was discussed in the WG that this kind of information are only hints and not mandatory to be conveyed by the DOTS client in the mitigation request.  https://tools.ietf.org/html/draft-ietf-dots-requirements-06 only discusses conveying the mitigation scope and not the source or type of the attack. However, DOTS signal channel draft allows vendor specific parameters and reserved key values in the range of 32768 to 65536 for vendor specific parameters, these hints can be conveyed as vendor-specific parameters to the DOTS server.

-Tiru

From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Jon Shallow
Sent: Wednesday, August 2, 2017 3:43 PM
To: dots@ietf.org<mailto:dots@ietf.org>
Subject: [Dots] Signal / Data / Alias / Filter Implementation

Hi There,

I am trying to get my mind around how to implement this and have some questions / statements.

Signal Channel

The Signal channel looks very like Destination RTBH with some extras (protocols / port) as everything is target-* based.  There is no concept of source-ip, source-port (to handle reflection attacks) etc. or dealing with fragmented packet, icmp types and rate-limiting.

The DOTS client may have the smarts to work out what are the problematic source-* etc. values (e.g. can generate smart BGP FlowSpec rules) are that will sensibly control the DDoS Attack.

It is possible to use a previously defined alias over the Data Channel as an alternative for a mitigation request, but this too has source-* etc. limitations.
I have not found a way of using a Filter defined over the Data Channel as a signal

Sending a signal will cause all traffic to stop (or rate-limit possibly if it also happens to match a filter) to the target IP on the ports in question -  DDoS attack is now effective unless the DOTS server elects (via DNS or BGP swing) to scrub that particular traffic (by controlling rates, Source IPs / Source Ports etc.).

Data Channel

Can be used to set up aliases for later use.  These again however appear to be target-* based, with no source-*, icmp type or fragmentation capabilities.

Can set up a Filter, which does include both source and destination IPs, but appears that it is acted on when pushed over the data channel, and cannot be send as a signal - appears to be in place more for black/white listing IPs than as a signal for mitigation, but does include rate-limiting

Questions

How do we handle Source-* information in a mitigation signal request?
How do we handle specific ICMP types  in a mitigation signal request?
How do we handle fragmentation  in a mitigation signal request?

Regards

Jon

v2.23.0 | Report a Bug | By Email