Re: [Dots] Target-Attack-type expansion: more discussion
Töma Gavrichenkov <ximaera@gmail.com> Mon, 01 April 2019 17:13 UTC
Return-Path: <ximaera@gmail.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24AB21203F2 for <dots@ietfa.amsl.com>; Mon, 1 Apr 2019 10:13:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y7LxswayJad9 for <dots@ietfa.amsl.com>; Mon, 1 Apr 2019 10:13:20 -0700 (PDT)
Received: from mail-yb1-xb41.google.com (mail-yb1-xb41.google.com [IPv6:2607:f8b0:4864:20::b41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42D7A1202BD for <dots@ietf.org>; Mon, 1 Apr 2019 10:13:20 -0700 (PDT)
Received: by mail-yb1-xb41.google.com with SMTP id o1so668928ybo.4 for <dots@ietf.org>; Mon, 01 Apr 2019 10:13:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=gJ6FH8wcNClVn03qcTXZQ186CGlio5sDHBgpkHOSqRQ=; b=aEzruiTtiezw/MyOhc8+UDSe5o6JHd46YfJsQb2aBNutBG5C1OCSWk5h+P5Emxqt1b n5k39Y1QXP3Y1h4TM8Th3FPutu06SpXKXtsWdeb5MnI28UopLnKiPMN4DsUsyV76+81O SO0i3Bm70Ry1tFb4RMMwuAlkxTSRTWfFcGb7cMgBbgmn7L/CB/BRH/4pc+bZfDAKmZIQ r8ieBU7QVPFIXiWRfclEO9+yDaXhjJxsRMhqpQR6vfDvrm6BYILkJfzkDzUA/tt9QQCd GzWX2LeDEXnf2wFcpBxY4nVGHE8O8eZYadYdUV0q5puOeRZoiPSeDUgRcY7iZ8JCK4EU Yvqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=gJ6FH8wcNClVn03qcTXZQ186CGlio5sDHBgpkHOSqRQ=; b=a31pdQKMl/mRDZASuLFQ3DXsFFCVIk4EStW3R5Cyx5fzn+/RXJG5NGhXxJvGRbWjdJ monQIhhroSJLQ5iTFj+9qyLFVEE+xIO40kOnWJu8xY/PJeUQSIjUW+Mz/nX5C85477ps MqfvPMLiRLNbQsdVDKDsqu37AvClaw+P7V80dXmFzkR9TjN9VkrZASc+c19TJCOTGZT/ vCjp2xZ0aliFs5iAUosP1lYyFyxO664JRKx3xcENyPFGhcdkJakMFLTdK9QdmnN1IcWS P2BpLxcs9rBPVix1TGNKXW9kM+UU3Lv5wt1RwqK/eu5+aX7V2IvomDqUwOVJSORhA0eI ZBuQ==
X-Gm-Message-State: APjAAAX02iA08XWWSbAqzMNQStaBGylEQgV6Cayc6RpUgi8hpwiclRa3 pThAD+A3Fqbku/RGuUSC417qujxbKaH+LKWZF2Y=
X-Google-Smtp-Source: APXvYqzScEfDpvQGLqxhNsbtCb0BNCNFKeM3EcvwGThVUQ4MlENLV6fTeAbJI7Mh9Cj5k2JOmvHFT/e3lwaULuEt/F0=
X-Received: by 2002:a25:d9c7:: with SMTP id q190mr10421079ybg.378.1554138799266; Mon, 01 Apr 2019 10:13:19 -0700 (PDT)
MIME-Version: 1.0
References: <2afa5c9df0626fd-00007.Richmail.00004070460264152429@chinamobile.com>
In-Reply-To: <2afa5c9df0626fd-00007.Richmail.00004070460264152429@chinamobile.com>
From: Töma Gavrichenkov <ximaera@gmail.com>
Date: Mon, 01 Apr 2019 19:13:01 +0200
Message-ID: <CALZ3u+YTx2b=QMTM_UzgX254cgcgAWYxnwA=-VwHhD03ygragw@mail.gmail.com>
To: 陈美玲 <chenmeiling@chinamobile.com>
Cc: dots <dots@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/uyq-AB4me7qZ2apuaw8b3J6JDnA>
Subject: Re: [Dots] Target-Attack-type expansion: more discussion
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2019 17:13:22 -0000
Peace, On Fri, Mar 29, 2019 at 12:15 PM 陈美玲 <chenmeiling@chinamobile.com> wrote: > I'd like to continue discussion of these topics in the mail For clarification, the quotations below that line are from the draft [1], not from the mailing list thread. > Therefore, it is necessary to unify the attack definition, > form a standard attack definition I do not anticipate that happening in the foreseeable future. Mainly, because of the differences between traffic classifying and filtering engines. Also, because the state of scientific research on the problem space is quite poor. > we give out a complete format for DDoS attacks as below >From the text and also from the slides [2] it is not clear what exactly you list under "protocol level". It appears like something very close to the OSI layering, however, a) in this case the proper word would be "layer", not "level", b) the attribution seems quite arbitrary. E.g. ICMP flood is coupled with "Network_Layer" while it could also affect the data link layer if e.g. there's no "no arp packet-priority enable" on an interface in a Cisco switched network. The same with memcached reflection which could cause an effect on the layer 2 through 4 performance of a network (and I'd even go as far as to say that L4 being affected is the least likely case). *** All in all, as I tried to point out during the session, I've personally seen a similar problem of conversion between different item classification methods being solved before in 3GPP world, where e.g. HP OpenView and Huawei M2000/J2000 had almost entirely different concepts of event type, status, and severity, yet communicated just fine through software-defined mapping tables provided by the respective vendors. Sometimes, it's best to follow that path, and a good thing is: you don't need a years-long IETF process for that to go live. References: [1]: https://tools.ietf.org/html/draft-meiling-dots-attack-type-expansion-00 [2]: https://datatracker.ietf.org/meeting/104/materials/slides-104-dots-attack-bandwidth-and-attack-type-expansion-01 -- Töma
- [Dots] Target-Attack-type expansion: more discuss… 陈美玲
- Re: [Dots] Target-Attack-type expansion: more dis… Konda, Tirumaleswar Reddy
- Re: [Dots] Target-Attack-type expansion: more dis… Töma Gavrichenkov
- Re: [Dots] Target-Attack-type expansion: more dis… Konda, Tirumaleswar Reddy
- Re: [Dots] Target-Attack-type expansion: more dis… MeiLing Chen
- Re: [Dots] Target-Attack-type expansion: more dis… Töma Gavrichenkov
- Re: [Dots] Target-Attack-type expansion: more dis… MeiLing Chen
- Re: [Dots] Target-Attack-type expansion: more dis… Töma Gavrichenkov
- Re: [Dots] Target-Attack-type expansion: more dis… Nik Teague
- Re: [Dots] Target-Attack-type expansion: more dis… Töma Gavrichenkov
- Re: [Dots] Target-Attack-type expansion: more dis… MeiLing Chen
- Re: [Dots] Target-Attack-type expansion: more dis… MeiLing Chen
- Re: [Dots] Target-Attack-type expansion: more dis… Nik Teague