IETF Logo Mail Archive

Re: [savnet] draft-cui-savnet-anti-ddos-00

Joel Halpern <jmh.direct@joelhalpern.com> Fri, 30 September 2022 03:07 UTC

Return-Path: <jmh.direct@joelhalpern.com>
X-Original-To: savnet@ietfa.amsl.com
Delivered-To: savnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28441C152575 for <savnet@ietfa.amsl.com>; Thu, 29 Sep 2022 20:07:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q9ZBNI6akRYA for <savnet@ietfa.amsl.com>; Thu, 29 Sep 2022 20:07:31 -0700 (PDT)
Received: from maila2.tigertech.net (maila2.tigertech.net [208.80.4.152]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04346C1524D7 for <savnet@ietf.org>; Thu, 29 Sep 2022 20:07:30 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by maila2.tigertech.net (Postfix) with ESMTP id 4MdwBp5VqSz6Gn0R; Thu, 29 Sep 2022 20:07:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=2.tigertech; t=1664507250; bh=uLcSEs/XPbW/dkiWDwCqFMGknz9KEf/07JVMIO8PuN4=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=nbd6l1bFovkJEO/o8FLTy1urBgxdN2eeVZ45gksTEuGEo6oPPwwvxZOVNjCCP+Deb TsGDcYG3s2xzBFGAj1uq988a1al+UmI6W+94M6Ln3aY4DhkgvdRszO2/Wmd6MHRT1w jtWJe1pmLXZna2rqT07CAb8mTO8wClsNwmWoHDwo=
X-Quarantine-ID: <7YHN2fMLlF7N>
X-Virus-Scanned: Debian amavisd-new at a2.tigertech.net
Received: from [192.168.23.73] (unknown [50.233.136.230]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by maila2.tigertech.net (Postfix) with ESMTPSA id 4MdwBp0kL4z6GMSp; Thu, 29 Sep 2022 20:07:29 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------XPP1SICN0CGggDGZiYLXLdZQ"
Message-ID: <668056ac-755c-e06b-5061-d191080c845c@joelhalpern.com>
Date: Thu, 29 Sep 2022 23:07:26 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.3.0
Content-Language: en-US
To: 惠林博 <huilb@zgclab.edu.cn>
Cc: "savnet@ietf.org" <savnet@ietf.org>
References: <ACF4F69E-4639-4FA6-9368-26D039DCBB3E@zgclab.edu.cn> <7b6546c3-69fb-8d92-bb41-1c026ad9f5ad@joelhalpern.com> <56bded8e.25c1e.18377eba5bf.Coremail.huilb@zgclab.edu.cn> <DCB00AE8-6AE3-493B-8437-4719E6A1AECA@zgclab.edu.cn>
From: Joel Halpern <jmh.direct@joelhalpern.com>
In-Reply-To: <DCB00AE8-6AE3-493B-8437-4719E6A1AECA@zgclab.edu.cn>
Archived-At: <https://mailarchive.ietf.org/arch/msg/savnet/Ufin9l_uYw3dzgRJvRDIes3d__U>
Subject: Re: [savnet] draft-cui-savnet-anti-ddos-00
X-BeenThere: savnet@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Source Address Validation in Intra-domain and Inter-domain Networks <savnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savnet>, <mailto:savnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/savnet/>
List-Post: <mailto:savnet@ietf.org>
List-Help: <mailto:savnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savnet>, <mailto:savnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Sep 2022 03:07:35 -0000

Rather than debating SADA with you, and noting that I have not yet 
discussed and confirmed this with my co-chair, I will say that the kind 
of monitoring you describe, collecting information about non-spoofed 
traffic, is out of charter for the savnet working group.  While I 
understand that it is related to the spoofing problem, it is a distinct 
problems.  And IETF working groups need to stay within their charter.

Yours,

Joel

On 9/29/2022 10:42 PM, 惠林博 wrote:
> Hi Joel,
>
> I would like to add some explanation for clarification. After a little 
> more thought, we consider that the traceback mechanisms can be 
> classified into two categories. One is from the network layer to 
> identify the controller/attacker from general communication 
> statistics. The other is to monitor the suspicious software’s 
> behaviors inside the bots to traceback.
>
> The SADA’s high-level traceback goal is to identify the 
> controller/attacker. The bot and the controller/attacker may 
> communicate with real addresses during an attack, and a bot is 
> possibly used for multiple attacks in the future. We consider logging 
> the communication activities of the hosts that have ever spoofed 
> addresses and hope toidentify the controller/attacker by analyzing 
> these logs. The logs from multiple bots will be aggregated to find the 
> addresses they have communicated with in common. After filtering out 
> the addresses of public servers, the remaining addresses may belong to 
> the controller/attacker.
>
> The proposed SADA scheme belongs to the first category. Noticing the 
> word “invasive” for logging, I understand you may refer to the second 
> category. “invasive” implies logging on OS-level information such as 
> instructions, which may involve monitoring suspicious software inside 
> a honeypot or sandbox. I don’t know whether my understanding is 
> correct. I would be very grateful if you could provide the related 
> progress upon traceback and give further suggestions.
>
>
> Best,
>
> Linbo
>
> ---- Replied Message ----
> From 	惠林博<huilb@zgclab.edu.cn> <mailto:huilb@zgclab.edu.cn>
> Date 	9/26/2022 11:51
> To 	Joel Halpern<jmh@joelhalpern.com> <mailto:jmh@joelhalpern.com>
> Cc 	savnet@ietf.org<savnet@ietf.org> <mailto:savnet@ietf.org>
> Subject 	Re: Re: [savnet] draft-cui-savnet-anti-ddos-00
>
> Hi Joel,
>
>
> Thanks for your question.
>
>
> We consider there are two levels for traceback. The primary goal is to 
> locate the bots, which SAV routers in the access network can easily 
> accomplish.
>
>
> The high-level goal is to traceback the controller/attacker. We are 
> currently considering logging the communication activities of a host 
> when it is regarded as a suspect. The logging data includes authentic 
> src/dst IP, src/dst Port, protocol, and so on. We hope to identify the 
> controller/attacker by analyzing these logs from widespread SAV 
> routers. This mechanism may introduce more pervasive and invasive 
> logging on suspicious hosts, and it may not always be practical. We 
> will conduct more research on it.
>
>
>
> Best,
>
> Linbo
>
>
>     -----原始邮件-----
>     *发件人:*"Joel Halpern" <jmh@joelhalpern.com>
>     *发送时间:*2022-09-25 01:21:06 (星期日)
>     *收件人:* "惠林博" <huilb@zgclab.edu.cn>
>     *抄送:* "savnet@ietf.org" <savnet@ietf.org>
>     *主题:* Re: [savnet] draft-cui-savnet-anti-ddos-00
>
>     I am slightly confused by the explanation below. Which at least
>     suggests that clarification of the text would be helpful.
>
>     Some explained to me off list that the purpose of the recording /
>     logging was to determine where the actual bot control could be
>     found.  But recording / logging the spoofed packets will not do
>     that.  The controller needs to communicate with the real address. 
>     Which would seem to imply a much more pervasive and invasive
>     logging of the activity??
>
>     Yours,
>
>     Joel
>
>     On 9/24/2022 6:03 AM, 惠林博 wrote:
>>
>>
>>     Hi Barry,
>>
>>
>>     Thanks for your suggestion.
>>
>>
>>     In SADA, the SAV routers are designed not to simply discard the
>>     spoofed packets but to record the spoofing statistics and
>>     behaviors, which we regard as a honeynet. Compared with existing
>>     honeynets, the SAV routers lack some lure and sacrifice
>>     mechanisms. If the terminology "honeynet" in SADA is considered
>>     unsuitable, we will remove it in the revised draft.
>>
>>
>>     Netflow/IPFIX is a network traffic measurement technology that
>>     uses packet sampling to generate flow-level statistics that can
>>     be used to detect attacks. In addition, the DOTS
>>     WG(https://datatracker.ietf.org/wg/dots/about/) has proposed a
>>     signaling architecture to detect, classify, traceback, and
>>     mitigate DDoS attacks. DOTS focuses on DDoS threat signals
>>     transmission under attack traffic congestion conditions. In
>>     comparison, the SADA collects statistics on every spoofed packet
>>     and is targeted for DDoS detection. Netflow/IPFIX and DOTS are
>>     both potential data collection methods for SADA.
>>
>>
>>
>>     Best,
>>
>>     Linbo Hui
>>
>>
>>
>>
>>         -----原始邮件-----
>>         *发件人:*"Barry Greene" <bgreene@senki.org>
>>         *发送时间:*2022-09-20 09:45:58 (星期二)
>>         *收件人:* "惠林博" <huilb@zgclab.edu.cn>
>>         *抄送:* "savnet@ietf.org" <savnet@ietf.org>
>>         *主题:* Re: [savnet] draft-cui-savnet-anti-ddos-00
>>
>>
>>         Read through twice. I would suggestion more research into
>>         today’s operational realities. For example:
>>
>>         "A distributed DDoS detection mechanism based on honeynets.
>>          The SADA introduces a SAV controller for gathering spoofing
>>         statistics from SAV routers that act as honeynets.”
>>
>>         This is active today through multiple HoneyNet projects. For
>>         context on today’s operational deployments, talk wot Q360 for
>>         a in China example.
>>
>>         “The SADA can detect DDoS attacks with a comprehensive
>>         analysis using aggregated information from distributed SAV
>>         routers.”
>>
>>         Isn’t that Netflow/IPFIX with open source and commercial
>>         telemetry systems?
>>
>>         What is improving on what we have deployed today?
>>
>>
>>
>>>         On Sep 20, 2022, at 8:36 AM, 惠林博
>>>         <huilb=40zgclab.edu.cn@dmarc.ietf.org> wrote:
>>>
>>>         Hi SAVNET Experts,
>>>
>>>         We have submitted a new draft:
>>>         draft-cui-savnet-anti-ddos-00. The link is
>>>         https://datatracker.ietf.org/doc/draft-cui-savnet-anti-ddos/
>>>
>>>         The draft proposes the SAVA-based Anti-DDoS Architecture
>>>         (SADA), which can efficiently detect, mitigate, and
>>>         traceback Denial-of-Service (DDoS) attacks that spoof source
>>>         addresses. The SADA consists of a distributed DDoS detection
>>>         mechanism based on honeynets, a multi-stage DDoS mitigation
>>>         mechanism, and a suspect-based DDoS traceback mechanism. By
>>>         adopting the Source Address Validation Architecture (SAVA)
>>>         of SAVNET and introducing the data plane and the control
>>>         plane, the SADA makes minor changes to the SAVA while
>>>         providing major benefits.
>>>
>>>         We'd be grateful if you could provide some feedback. Please
>>>         let us know if you have any questions or comments about the
>>>         draft.
>>>
>>>
>>>         Best regards
>>>
>>>         Linbo Hui
>>>         --
>>>         savnet mailing list
>>>         savnet@ietf.org
>>>         https://www.ietf.org/mailman/listinfo/savnet
>>
>>

v2.23.0 | Report a Bug | By Email