IETF Logo Mail Archive

Re: [Dots] Signal / Data / Alias / Filter Implementation

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Thu, 03 August 2017 07:58 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2446A132327 for <dots@ietfa.amsl.com>; Thu, 3 Aug 2017 00:58:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6KK2n2FsSNia for <dots@ietfa.amsl.com>; Thu, 3 Aug 2017 00:58:17 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E876126CB6 for <dots@ietf.org>; Thu, 3 Aug 2017 00:58:15 -0700 (PDT)
Received: from MIVEXAPP1N01.corpzone.internalzone.com (unknown [10.48.48.88]) by DNVWSMAILOUT1.mcafee.com with smtp id 0fc8_edf4_65d9196b_510c_40a1_b6cb_3c45ad99ce05; Thu, 03 Aug 2017 02:58:13 -0500
Received: from MIVEXUSR1N01.corpzone.internalzone.com (10.48.48.81) by MIVEXAPP1N01.corpzone.internalzone.com (10.48.48.88) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Thu, 3 Aug 2017 03:58:11 -0400
Received: from MIVEXAPP1N01.corpzone.internalzone.com (10.48.48.88) by MIVEXUSR1N01.corpzone.internalzone.com (10.48.48.81) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Thu, 3 Aug 2017 03:58:11 -0400
Received: from MIVO365EDGE3.corpzone.internalzone.com (10.48.176.86) by MIVEXAPP1N01.corpzone.internalzone.com (10.48.48.88) with Microsoft SMTP Server (TLS) id 15.0.1263.5 via Frontend Transport; Thu, 3 Aug 2017 03:58:10 -0400
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (10.48.176.243) by edge.mcafee.com (10.48.176.86) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Thu, 3 Aug 2017 03:57:56 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.onmicrosoft.com; s=selector1-mcafee-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=tUBT0gb7hphkcLaddfsx+EDHpGdg16z4Rx+YIzEgjSA=; b=Hai7mO5bB+BTgZpLgq+ulwZ7g+fBTVPPyb6e7pZ/fvTLeh/fJvTyDLcpBVqGryWKfGuNzJX0vG4QdmcKH1yXI0wPA5SfgmfYy/M43dyL/7y2lwq6bVpvKBPESYaVxqgnedoU4YKs0Py3c5sXf+ptX/HkbstkHxSpTGHDdVIV0WM=
Received: from DM5PR16MB1788.namprd16.prod.outlook.com (10.172.44.144) by DM5PR16MB1786.namprd16.prod.outlook.com (10.172.44.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1304.22; Thu, 3 Aug 2017 07:58:09 +0000
Received: from DM5PR16MB1788.namprd16.prod.outlook.com ([10.172.44.144]) by DM5PR16MB1788.namprd16.prod.outlook.com ([10.172.44.144]) with mapi id 15.01.1304.023; Thu, 3 Aug 2017 07:58:09 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Jon Shallow <supjps-ietf@jpshallow.com>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] Signal / Data / Alias / Filter Implementation
Thread-Index: AdMLd/i8iwFwzTfWQ/S7HayGj5igcAAtQcoA
Date: Thu, 03 Aug 2017 07:58:09 +0000
Message-ID: <DM5PR16MB1788C9F8E53F0F39A9B3AE70EAB10@DM5PR16MB1788.namprd16.prod.outlook.com>
References: <035401d30b77$fb3a1da0$f1ae58e0$@jpshallow.com>
In-Reply-To: <035401d30b77$fb3a1da0$f1ae58e0$@jpshallow.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR16MB1786; 7:D5AxylTo1reI05Ok7nGKeodt2djyvnkEZ7NtZnl1ejXRrwWmV+oOTzalKI8tb2WQMWRyoPxduWGuqP/mUH11lS6jC7mf6j3H2jRCjJXHsPMZgRBgms5UIzjhJP4+uEv4hQk9YyVUe7em3q8pOxRB0mF72l5ai67/JhnfHL5KXZfHER/TNfJGqmB9wqM9GUKqN64dwlVc+0I8AtjvVLo0tpb7NTieOTVej8Bc58P+t9H2nR9EumwB1bdRBhXhyNKxpOleZUSP/5zXfg660X8f6Qv24cQusVQ7VDAB4E2plve6o67nztBUm4OnfspCu58RpzvK+A0cfTTPDa+S533zu3X9vrnNekBUfIpajR2cx5baaPy9SBUkH5sygdSYoDAhC0yR2J8EOItKavAVpESdhR3MH7k9Z6WRqx6r+n1p/sUfq5nhnHiDhft+fAf7ki7mpQi+12usuJbKCizkXv5kreu5p/W+JIpWjcFdYZLFwty6RHppK0Bcf/wAPvggmIplAYy++Xnkzz8FvATQHmKqA6Bzkb+f3si5fa1ikaZwrPS1EJMolfKG3bJQmJxANE2KArzVOk/85ayKwzYMmn6HneZEKfUKbP10A4uvm8hwQM+Psiawf+k6bIcszUv5kL6mg9k136fMdbDpn+UI9uB4Lafk4v7RwPi96pKtw5HmChN8BXN7jMTqevoC7ZU+3IOn3tEcwK6nioKpy5Je4M1N3HOo2kdvWU0+mX6o11ViQbFLfkh9FRR5SMRbimbfXzmpJjnWrAjBN9FUEItBodYm/fIb0Pmm11tfaW4LSYva/EM=
x-ms-office365-filtering-correlation-id: 89c5c2d6-63b9-4aaa-84ab-08d4da4561cf
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:DM5PR16MB1786;
x-ms-traffictypediagnostic: DM5PR16MB1786:
x-exchange-antispam-report-test: UriScan:(158342451672863)(21748063052155);
x-microsoft-antispam-prvs: <DM5PR16MB1786957A5D4093C9362530FCEAB10@DM5PR16MB1786.namprd16.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(3002001)(100000703101)(100105400095)(93006095)(93001095)(10201501046)(6041248)(20161123564025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123558100)(20161123562025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:DM5PR16MB1786; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:DM5PR16MB1786;
x-forefront-prvs: 03883BD916
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39840400002)(39450400003)(39400400002)(39410400002)(32952001)(377454003)(199003)(189002)(606006)(25786009)(97736004)(6306002)(53546010)(7696004)(76176999)(50986999)(54356999)(7736002)(3660700001)(189998001)(6116002)(102836003)(19609705001)(2900100001)(790700001)(77096006)(106356001)(105586002)(229853002)(80792005)(86362001)(3846002)(6506006)(54896002)(14454004)(66066001)(6246003)(38730400002)(5660300001)(3280700002)(236005)(53936002)(2950100002)(966005)(6436002)(55016002)(72206003)(478600001)(68736007)(2501003)(8676002)(8936002)(74316002)(9686003)(99286003)(81156014)(81166006)(101416001)(2906002)(33656002)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR16MB1786; H:DM5PR16MB1788.namprd16.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR16MB1788C9F8E53F0F39A9B3AE70EAB10DM5PR16MB1788namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Aug 2017 07:58:09.2795 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB1786
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6085> : inlines <6005> : streams <1756958> : uri <2475389>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/pBWro--qOpIXH4JYuDXejjhbYt4>
Subject: Re: [Dots] Signal / Data / Alias / Filter Implementation
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2017 07:58:22 -0000

The source IP addresses and source ports used by the DDoS attacker could change, the type of attack itself could evolve or change from one attack type to another.
It was discussed in the WG that this kind of information are only hints and not mandatory to be conveyed by the DOTS client in the mitigation request.  https://tools.ietf.org/html/draft-ietf-dots-requirements-06 only discusses conveying the mitigation scope and not the source or type of the attack. However, DOTS signal channel draft allows vendor specific parameters and reserved key values in the range of 32768 to 65536 for vendor specific parameters, these hints can be conveyed as vendor-specific parameters to the DOTS server.

-Tiru

From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Jon Shallow
Sent: Wednesday, August 2, 2017 3:43 PM
To: dots@ietf.org
Subject: [Dots] Signal / Data / Alias / Filter Implementation

Hi There,

I am trying to get my mind around how to implement this and have some questions / statements.

Signal Channel

The Signal channel looks very like Destination RTBH with some extras (protocols / port) as everything is target-* based.  There is no concept of source-ip, source-port (to handle reflection attacks) etc. or dealing with fragmented packet, icmp types and rate-limiting.

The DOTS client may have the smarts to work out what are the problematic source-* etc. values (e.g. can generate smart BGP FlowSpec rules) are that will sensibly control the DDoS Attack.

It is possible to use a previously defined alias over the Data Channel as an alternative for a mitigation request, but this too has source-* etc. limitations.
I have not found a way of using a Filter defined over the Data Channel as a signal

Sending a signal will cause all traffic to stop (or rate-limit possibly if it also happens to match a filter) to the target IP on the ports in question -  DDoS attack is now effective unless the DOTS server elects (via DNS or BGP swing) to scrub that particular traffic (by controlling rates, Source IPs / Source Ports etc.).

Data Channel

Can be used to set up aliases for later use.  These again however appear to be target-* based, with no source-*, icmp type or fragmentation capabilities.

Can set up a Filter, which does include both source and destination IPs, but appears that it is acted on when pushed over the data channel, and cannot be send as a signal - appears to be in place more for black/white listing IPs than as a signal for mitigation, but does include rate-limiting

Questions

How do we handle Source-* information in a mitigation signal request?
How do we handle specific ICMP types  in a mitigation signal request?
How do we handle fragmentation  in a mitigation signal request?

Regards

Jon

v2.23.0 | Report a Bug | By Email