Re: [Dots] Target-Attack-type expansion: more discussion

Töma Gavrichenkov <> Mon, 01 April 2019 17:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 24AB21203F2 for <>; Mon, 1 Apr 2019 10:13:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id y7LxswayJad9 for <>; Mon, 1 Apr 2019 10:13:20 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::b41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 42D7A1202BD for <>; Mon, 1 Apr 2019 10:13:20 -0700 (PDT)
Received: by with SMTP id o1so668928ybo.4 for <>; Mon, 01 Apr 2019 10:13:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=gJ6FH8wcNClVn03qcTXZQ186CGlio5sDHBgpkHOSqRQ=; b=aEzruiTtiezw/MyOhc8+UDSe5o6JHd46YfJsQb2aBNutBG5C1OCSWk5h+P5Emxqt1b n5k39Y1QXP3Y1h4TM8Th3FPutu06SpXKXtsWdeb5MnI28UopLnKiPMN4DsUsyV76+81O SO0i3Bm70Ry1tFb4RMMwuAlkxTSRTWfFcGb7cMgBbgmn7L/CB/BRH/4pc+bZfDAKmZIQ r8ieBU7QVPFIXiWRfclEO9+yDaXhjJxsRMhqpQR6vfDvrm6BYILkJfzkDzUA/tt9QQCd GzWX2LeDEXnf2wFcpBxY4nVGHE8O8eZYadYdUV0q5puOeRZoiPSeDUgRcY7iZ8JCK4EU Yvqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=gJ6FH8wcNClVn03qcTXZQ186CGlio5sDHBgpkHOSqRQ=; b=a31pdQKMl/mRDZASuLFQ3DXsFFCVIk4EStW3R5Cyx5fzn+/RXJG5NGhXxJvGRbWjdJ monQIhhroSJLQ5iTFj+9qyLFVEE+xIO40kOnWJu8xY/PJeUQSIjUW+Mz/nX5C85477ps MqfvPMLiRLNbQsdVDKDsqu37AvClaw+P7V80dXmFzkR9TjN9VkrZASc+c19TJCOTGZT/ vCjp2xZ0aliFs5iAUosP1lYyFyxO664JRKx3xcENyPFGhcdkJakMFLTdK9QdmnN1IcWS P2BpLxcs9rBPVix1TGNKXW9kM+UU3Lv5wt1RwqK/eu5+aX7V2IvomDqUwOVJSORhA0eI ZBuQ==
X-Gm-Message-State: APjAAAX02iA08XWWSbAqzMNQStaBGylEQgV6Cayc6RpUgi8hpwiclRa3 pThAD+A3Fqbku/RGuUSC417qujxbKaH+LKWZF2Y=
X-Google-Smtp-Source: APXvYqzScEfDpvQGLqxhNsbtCb0BNCNFKeM3EcvwGThVUQ4MlENLV6fTeAbJI7Mh9Cj5k2JOmvHFT/e3lwaULuEt/F0=
X-Received: by 2002:a25:d9c7:: with SMTP id q190mr10421079ybg.378.1554138799266; Mon, 01 Apr 2019 10:13:19 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Töma Gavrichenkov <>
Date: Mon, 01 Apr 2019 19:13:01 +0200
Message-ID: <>
To: 陈美玲 <>
Cc: dots <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [Dots] Target-Attack-type expansion: more discussion
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 01 Apr 2019 17:13:22 -0000


On Fri, Mar 29, 2019 at 12:15 PM 陈美玲 <> wrote:
> I'd like to continue discussion of these topics in the mail

For clarification, the quotations below that line are from the draft
[1], not from the mailing list thread.

> Therefore, it is necessary to unify the attack definition,
> form a standard attack definition

I do not anticipate that happening in the foreseeable future. Mainly,
because of the differences between traffic classifying and filtering
engines. Also, because the state of scientific research on the problem
space is quite poor.

> we give out a complete format for DDoS attacks as below

>From the text and also from the slides [2] it is not clear what
exactly you list under "protocol level".
It appears like something very close to the OSI layering, however,

a) in this case the proper word would be "layer", not "level",
b) the attribution seems quite arbitrary.

E.g. ICMP flood is coupled with "Network_Layer" while it could also
affect the data link layer if e.g. there's no "no arp packet-priority
enable" on an interface in a Cisco switched network.
The same with memcached reflection which could cause an effect on the
layer 2 through 4 performance of a network (and I'd even go as far as
to say that L4 being affected is the least likely case).


All in all, as I tried to point out during the session, I've
personally seen a similar problem of conversion between different item
classification methods being solved before in 3GPP world, where e.g.
HP OpenView and Huawei M2000/J2000 had almost entirely different
concepts of event type, status, and severity, yet communicated just
fine through software-defined mapping tables provided by the
respective vendors. Sometimes, it's best to follow that path, and a
good thing is: you don't need a years-long IETF process for that to go