Re: [savnet] draft-cui-savnet-anti-ddos-00
Joel Halpern <jmh.direct@joelhalpern.com> Fri, 30 September 2022 03:07 UTC
Return-Path: <jmh.direct@joelhalpern.com>
X-Original-To: savnet@ietfa.amsl.com
Delivered-To: savnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28441C152575 for <savnet@ietfa.amsl.com>; Thu, 29 Sep 2022 20:07:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q9ZBNI6akRYA for <savnet@ietfa.amsl.com>; Thu, 29 Sep 2022 20:07:31 -0700 (PDT)
Received: from maila2.tigertech.net (maila2.tigertech.net [208.80.4.152]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04346C1524D7 for <savnet@ietf.org>; Thu, 29 Sep 2022 20:07:30 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by maila2.tigertech.net (Postfix) with ESMTP id 4MdwBp5VqSz6Gn0R; Thu, 29 Sep 2022 20:07:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=2.tigertech; t=1664507250; bh=uLcSEs/XPbW/dkiWDwCqFMGknz9KEf/07JVMIO8PuN4=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=nbd6l1bFovkJEO/o8FLTy1urBgxdN2eeVZ45gksTEuGEo6oPPwwvxZOVNjCCP+Deb TsGDcYG3s2xzBFGAj1uq988a1al+UmI6W+94M6Ln3aY4DhkgvdRszO2/Wmd6MHRT1w jtWJe1pmLXZna2rqT07CAb8mTO8wClsNwmWoHDwo=
X-Quarantine-ID: <7YHN2fMLlF7N>
X-Virus-Scanned: Debian amavisd-new at a2.tigertech.net
Received: from [192.168.23.73] (unknown [50.233.136.230]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by maila2.tigertech.net (Postfix) with ESMTPSA id 4MdwBp0kL4z6GMSp; Thu, 29 Sep 2022 20:07:29 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------XPP1SICN0CGggDGZiYLXLdZQ"
Message-ID: <668056ac-755c-e06b-5061-d191080c845c@joelhalpern.com>
Date: Thu, 29 Sep 2022 23:07:26 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.3.0
Content-Language: en-US
To: 惠林博 <huilb@zgclab.edu.cn>
Cc: "savnet@ietf.org" <savnet@ietf.org>
References: <ACF4F69E-4639-4FA6-9368-26D039DCBB3E@zgclab.edu.cn> <7b6546c3-69fb-8d92-bb41-1c026ad9f5ad@joelhalpern.com> <56bded8e.25c1e.18377eba5bf.Coremail.huilb@zgclab.edu.cn> <DCB00AE8-6AE3-493B-8437-4719E6A1AECA@zgclab.edu.cn>
From: Joel Halpern <jmh.direct@joelhalpern.com>
In-Reply-To: <DCB00AE8-6AE3-493B-8437-4719E6A1AECA@zgclab.edu.cn>
Archived-At: <https://mailarchive.ietf.org/arch/msg/savnet/Ufin9l_uYw3dzgRJvRDIes3d__U>
Subject: Re: [savnet] draft-cui-savnet-anti-ddos-00
X-BeenThere: savnet@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Source Address Validation in Intra-domain and Inter-domain Networks <savnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savnet>, <mailto:savnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/savnet/>
List-Post: <mailto:savnet@ietf.org>
List-Help: <mailto:savnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savnet>, <mailto:savnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Sep 2022 03:07:35 -0000
Rather than debating SADA with you, and noting that I have not yet discussed and confirmed this with my co-chair, I will say that the kind of monitoring you describe, collecting information about non-spoofed traffic, is out of charter for the savnet working group. While I understand that it is related to the spoofing problem, it is a distinct problems. And IETF working groups need to stay within their charter. Yours, Joel On 9/29/2022 10:42 PM, 惠林博 wrote: > Hi Joel, > > I would like to add some explanation for clarification. After a little > more thought, we consider that the traceback mechanisms can be > classified into two categories. One is from the network layer to > identify the controller/attacker from general communication > statistics. The other is to monitor the suspicious software’s > behaviors inside the bots to traceback. > > The SADA’s high-level traceback goal is to identify the > controller/attacker. The bot and the controller/attacker may > communicate with real addresses during an attack, and a bot is > possibly used for multiple attacks in the future. We consider logging > the communication activities of the hosts that have ever spoofed > addresses and hope toidentify the controller/attacker by analyzing > these logs. The logs from multiple bots will be aggregated to find the > addresses they have communicated with in common. After filtering out > the addresses of public servers, the remaining addresses may belong to > the controller/attacker. > > The proposed SADA scheme belongs to the first category. Noticing the > word “invasive” for logging, I understand you may refer to the second > category. “invasive” implies logging on OS-level information such as > instructions, which may involve monitoring suspicious software inside > a honeypot or sandbox. I don’t know whether my understanding is > correct. I would be very grateful if you could provide the related > progress upon traceback and give further suggestions. > > > Best, > > Linbo > > ---- Replied Message ---- > From 惠林博<huilb@zgclab.edu.cn> <mailto:huilb@zgclab.edu.cn> > Date 9/26/2022 11:51 > To Joel Halpern<jmh@joelhalpern.com> <mailto:jmh@joelhalpern.com> > Cc savnet@ietf.org<savnet@ietf.org> <mailto:savnet@ietf.org> > Subject Re: Re: [savnet] draft-cui-savnet-anti-ddos-00 > > Hi Joel, > > > Thanks for your question. > > > We consider there are two levels for traceback. The primary goal is to > locate the bots, which SAV routers in the access network can easily > accomplish. > > > The high-level goal is to traceback the controller/attacker. We are > currently considering logging the communication activities of a host > when it is regarded as a suspect. The logging data includes authentic > src/dst IP, src/dst Port, protocol, and so on. We hope to identify the > controller/attacker by analyzing these logs from widespread SAV > routers. This mechanism may introduce more pervasive and invasive > logging on suspicious hosts, and it may not always be practical. We > will conduct more research on it. > > > > Best, > > Linbo > > > -----原始邮件----- > *发件人:*"Joel Halpern" <jmh@joelhalpern.com> > *发送时间:*2022-09-25 01:21:06 (星期日) > *收件人:* "惠林博" <huilb@zgclab.edu.cn> > *抄送:* "savnet@ietf.org" <savnet@ietf.org> > *主题:* Re: [savnet] draft-cui-savnet-anti-ddos-00 > > I am slightly confused by the explanation below. Which at least > suggests that clarification of the text would be helpful. > > Some explained to me off list that the purpose of the recording / > logging was to determine where the actual bot control could be > found. But recording / logging the spoofed packets will not do > that. The controller needs to communicate with the real address. > Which would seem to imply a much more pervasive and invasive > logging of the activity?? > > Yours, > > Joel > > On 9/24/2022 6:03 AM, 惠林博 wrote: >> >> >> Hi Barry, >> >> >> Thanks for your suggestion. >> >> >> In SADA, the SAV routers are designed not to simply discard the >> spoofed packets but to record the spoofing statistics and >> behaviors, which we regard as a honeynet. Compared with existing >> honeynets, the SAV routers lack some lure and sacrifice >> mechanisms. If the terminology "honeynet" in SADA is considered >> unsuitable, we will remove it in the revised draft. >> >> >> Netflow/IPFIX is a network traffic measurement technology that >> uses packet sampling to generate flow-level statistics that can >> be used to detect attacks. In addition, the DOTS >> WG(https://datatracker.ietf.org/wg/dots/about/) has proposed a >> signaling architecture to detect, classify, traceback, and >> mitigate DDoS attacks. DOTS focuses on DDoS threat signals >> transmission under attack traffic congestion conditions. In >> comparison, the SADA collects statistics on every spoofed packet >> and is targeted for DDoS detection. Netflow/IPFIX and DOTS are >> both potential data collection methods for SADA. >> >> >> >> Best, >> >> Linbo Hui >> >> >> >> >> -----原始邮件----- >> *发件人:*"Barry Greene" <bgreene@senki.org> >> *发送时间:*2022-09-20 09:45:58 (星期二) >> *收件人:* "惠林博" <huilb@zgclab.edu.cn> >> *抄送:* "savnet@ietf.org" <savnet@ietf.org> >> *主题:* Re: [savnet] draft-cui-savnet-anti-ddos-00 >> >> >> Read through twice. I would suggestion more research into >> today’s operational realities. For example: >> >> "A distributed DDoS detection mechanism based on honeynets. >> The SADA introduces a SAV controller for gathering spoofing >> statistics from SAV routers that act as honeynets.” >> >> This is active today through multiple HoneyNet projects. For >> context on today’s operational deployments, talk wot Q360 for >> a in China example. >> >> “The SADA can detect DDoS attacks with a comprehensive >> analysis using aggregated information from distributed SAV >> routers.” >> >> Isn’t that Netflow/IPFIX with open source and commercial >> telemetry systems? >> >> What is improving on what we have deployed today? >> >> >> >>> On Sep 20, 2022, at 8:36 AM, 惠林博 >>> <huilb=40zgclab.edu.cn@dmarc.ietf.org> wrote: >>> >>> Hi SAVNET Experts, >>> >>> We have submitted a new draft: >>> draft-cui-savnet-anti-ddos-00. The link is >>> https://datatracker.ietf.org/doc/draft-cui-savnet-anti-ddos/ >>> >>> The draft proposes the SAVA-based Anti-DDoS Architecture >>> (SADA), which can efficiently detect, mitigate, and >>> traceback Denial-of-Service (DDoS) attacks that spoof source >>> addresses. The SADA consists of a distributed DDoS detection >>> mechanism based on honeynets, a multi-stage DDoS mitigation >>> mechanism, and a suspect-based DDoS traceback mechanism. By >>> adopting the Source Address Validation Architecture (SAVA) >>> of SAVNET and introducing the data plane and the control >>> plane, the SADA makes minor changes to the SAVA while >>> providing major benefits. >>> >>> We'd be grateful if you could provide some feedback. Please >>> let us know if you have any questions or comments about the >>> draft. >>> >>> >>> Best regards >>> >>> Linbo Hui >>> -- >>> savnet mailing list >>> savnet@ietf.org >>> https://www.ietf.org/mailman/listinfo/savnet >> >>
- [savnet] draft-cui-savnet-anti-ddos-00 惠林博
- Re: [savnet] draft-cui-savnet-anti-ddos-00 Barry Greene
- Re: [savnet] draft-cui-savnet-anti-ddos-00 惠林博
- Re: [savnet] draft-cui-savnet-anti-ddos-00 Joel Halpern
- Re: [savnet] draft-cui-savnet-anti-ddos-00 惠林博
- Re: [savnet] draft-cui-savnet-anti-ddos-00 mohamed.boucadair
- Re: [savnet] draft-cui-savnet-anti-ddos-00 Barry Greene
- Re: [savnet] draft-cui-savnet-anti-ddos-00 惠林博
- Re: [savnet] draft-cui-savnet-anti-ddos-00 惠林博
- Re: [savnet] draft-cui-savnet-anti-ddos-00 惠林博
- Re: [savnet] draft-cui-savnet-anti-ddos-00 Joel Halpern