Re: [Dots] WGLC for draft-dots-use-cases-19

"Jon Shallow" <supjps-ietf@jpshallow.com> Tue, 06 August 2019 12:20 UTC

Return-Path: <supjps-ietf@jpshallow.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45F64120286 for <dots@ietfa.amsl.com>; Tue, 6 Aug 2019 05:20:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zGGzIVDQ-VtF for <dots@ietfa.amsl.com>; Tue, 6 Aug 2019 05:20:54 -0700 (PDT)
Received: from mail.jpshallow.com (mail.jpshallow.com [217.40.240.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56F6B12032F for <dots@ietf.org>; Tue, 6 Aug 2019 05:20:54 -0700 (PDT)
Received: from mail2.jpshallow.com ([192.168.0.3] helo=N01332) by mail.jpshallow.com with esmtp (Exim 4.92) (envelope-from <jon.shallow@jpshallow.com>) id 1huySN-0006oS-T7; Tue, 06 Aug 2019 13:20:47 +0100
From: "Jon Shallow" <supjps-ietf@jpshallow.com>
To: "'Konda, Tirumaleswar Reddy'" <TirumaleswarReddy_Konda@mcafee.com>, <frank.xialiang@huawei.com>, <mohamed.boucadair@orange.com>, <dots@ietf.org>, <valery@smyslov.net>
References: <00b001d54c1f$d57799e0$8066cda0$@smyslov.net> <DM5PR16MB17050571BAD70FACA597FA6CEAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDB17@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB170555606E26709FC5C54AA4EAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDBC8@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB17050DF869BABA8B3670DC85EAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDC3B@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB1705E573DE3E7482115B9FE0EAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDC6C@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB170551C20908654A0F6428D7EAD50@DM5PR16MB1705.namprd16.prod.outlook.com>
In-Reply-To: <DM5PR16MB170551C20908654A0F6428D7EAD50@DM5PR16MB1705.namprd16.prod.outlook.com>
Date: Tue, 6 Aug 2019 13:20:41 +0100
Message-ID: <1dd901d54c51$5ce7e160$16b7a420$@jpshallow.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQK1kisCvDc1RSBNtbNFnLiTKznvrwDa6EB0AZmZlskBifd/wwH4EnhjAjIbFfYBOPoZEgFdLKZBApa9xBgCJlPu9qSxmZ4w
Content-Language: en-gb
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/qU4uhUKZP-SNqbFLvNwkOFLYoG8>
Subject: Re: [Dots] WGLC for draft-dots-use-cases-19
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2019 12:21:03 -0000

I had an interesting one a couple of years back.

Attackers were hitting 8.8.8.8 with a lot of DNS queries, spoofing the victim's IP address.  As there were a lot of unsolicited responses coming from 8.8.8.8 it was deduced that there was a reflective attack in progress against the victim's IP address and 8.8.8.8 was black-listed (fortunately close to the victim's IP address).

Unfortunately the victim IP was relying on 8.8.8.8 for its DNS services and so was effectively taken offline - but slowly - as DNS caches timed out for all the devices behind the corporate gateway (victim's IP).  Things were partially working for some time...

So usage of 8.8.8.8 was being both spoofed and genuine.

Top talkers is a hint and only that - deciding what to do with it needs to be done with care.  DOTS is a mechanism for passing information, requesting action etc. but does not do the ultimate mitigation.

Regards

Jon