IETF Logo Mail Archive

Re: [savnet] draft-cui-savnet-anti-ddos-00

惠林博 <huilb@zgclab.edu.cn> Fri, 30 September 2022 02:49 UTC

Return-Path: <huilb@zgclab.edu.cn>
X-Original-To: savnet@ietfa.amsl.com
Delivered-To: savnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B29FC152579 for <savnet@ietfa.amsl.com>; Thu, 29 Sep 2022 19:49:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.004
X-Spam-Level:
X-Spam-Status: No, score=-2.004 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=zgclab.edu.cn
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9KNFfBFtpWVI for <savnet@ietfa.amsl.com>; Thu, 29 Sep 2022 19:49:17 -0700 (PDT)
Received: from azure-sdnproxy.icoremail.net (azure-sdnproxy.icoremail.net [52.187.6.220]) by ietfa.amsl.com (Postfix) with SMTP id 09A4FC152573 for <savnet@ietf.org>; Thu, 29 Sep 2022 19:49:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zgclab.edu.cn; s=dkim; h=Received:Date:From:To:Cc:Message-ID: In-Reply-To:References:Subject:MIME-Version:Content-Type: Content-Transfer-Encoding; bh=Tpijc6KhARt93LNEWbQuPlfkniNBpAwmJV xZSQUXWTc=; b=HrBUkya6t4d+qsGkV5uvwHysCSVVJAiQeewWd6m3ZQ7aefz1Ii EiYN9DEpq8gkw46k2DoTSm+sOjb17bm6OyKERlTQvzIW0ympWOPW45vPKEm/8EUf lfJKl9Rn48tnwifgjAEMUld1FSobOsA/Jwi2lcPH2MPISxsGCM4ifw0b4=
Received: from Linbo-X13 (unknown [58.206.199.178]) by web3 (Coremail) with SMTP id ygQGZQC3bmfMWDZjWKRMAA--.4267S2; Fri, 30 Sep 2022 10:47:40 +0800 (CST)
Date: Fri, 30 Sep 2022 10:47:40 +0800
From: 惠林博 <huilb@zgclab.edu.cn>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>
Cc: "savnet@ietf.org" <savnet@ietf.org>
Message-ID: <B8338B2A-6550-47F0-A3E4-70D3C7984DCA@zgclab.edu.cn>
In-Reply-To: <993AA924-560A-4732-BBCB-5ABE3DEF6747@senki.org>
References: <ACF4F69E-4639-4FA6-9368-26D039DCBB3E@zgclab.edu.cn> <2968_1664177831_633156A7_2968_250_1_3521434ebbd743f7800992a41283855c@orange.com> <993AA924-560A-4732-BBCB-5ABE3DEF6747@senki.org>
X-Mailer: MailMasterPC/4.17.5.1008 (Win11)
X-CUSTOM-MAIL-MASTER-SENT-ID: D0EED3D8-F74F-41EB-9A61-68B7A53FAD5D
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64
X-CM-TRANSID: ygQGZQC3bmfMWDZjWKRMAA--.4267S2
X-Coremail-Antispam: 1UD129KBjvJXoW3Jw1UuFy7GFWxKFyxCF1fCrg_yoW7AF18pa yjqwsIk395J348Aay8Aw1jqr10vrs5GFW7GFn3try5Aa98GFyqvry29w4Fva4DAr15J34q vr4j9r1DJw4qvaDanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUHmb7Iv0xC_Cr1lb4IE77IF4wAFF20E14v26r1j6r4UM7CY07I2 0VC2zVCF04k26cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rw A2F7IY1VAKz4vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Jr0_JF4l84ACjcxK6xII jxv20xvEc7CjxVAFwI0_Jr0_Gr1l84ACjcxK6I8E87Iv67AKxVW8JVWxJwA2z4x0Y4vEx4 A2jsIEc7CjxVAFwI0_Gr0_Gr1UM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVAYj202 j2C_Gr0_Xr1l5I8CrVAqjxCE14ACF2xKxwAqx4xG64kEw2xG04xIwI0_Jr0_Gr1l5I8CrV CF0I0E4I0vr24lYx0E2Ix0cI8IcVAFwI0_JrI_JrylYx0Ex4A2jsIE14v26r1j6r4UMcvj eVCFs4IE7xkEbVWUJVW8JwACjcxG0xvY0x0EwIxGrwACY4xI67k04243AVAKzVAKj4xxM4 xvF2IE5I8CrVAEw40kM4kE6x8GjcxK67AEwI8IwI0ExsIj0wCY02Avz4vE14v_Gr1l42xK 82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUGVWUWw C20s026x8GjcxK67AKxVWUJVWUGwC2zVAF1VAY17CE14v26r1Y6r17MIIYrxkI7VAKI48J MIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r1j6r4UMI IF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI42IY6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E 87Iv6xkF7I0E14v26r1j6r4UMVCEFcxC0VAYjxAxZFUvcSsGvfC2KfnxnUUI43ZEXa7IU8 leHDUUUUU==
X-CM-SenderInfo: hkxlzuo62juzldeovvfxof0/1tbiAQYFAWM1ZE2RpwAAsK
Archived-At: <https://mailarchive.ietf.org/arch/msg/savnet/f2EwPvK8usMxDT7VI4a5BDws4lc>
Subject: Re: [savnet] draft-cui-savnet-anti-ddos-00
X-BeenThere: savnet@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Source Address Validation in Intra-domain and Inter-domain Networks <savnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savnet>, <mailto:savnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/savnet/>
List-Post: <mailto:savnet@ietf.org>
List-Help: <mailto:savnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savnet>, <mailto:savnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Sep 2022 02:49:22 -0000

Hi Med,

Thanks for your information.

After reading RFC9244, RFC8903, and draft-ietf-dots-telemetry-use-cases-12, I understand that the DOTS client is near-victim deployed. It analyzes inbound traffic aggregated to the victim to detect attacks. We propose SADA to telemetry outbound spoofed traffic from the near-source (bots) SAV routers to detect attacks. Maybe due to insufficient research, I am unsure how the DOTS client verifies whether the inbound source IP address is spoofed. I would be very grateful if you could provide more materials for reference.


Best,

Linbo
---- Replied Message ----

On Sep 26, 2022, at 3:37 PM, mohamed.boucadair@orange.com wrote:

Hi Linbo,
 
On the DOTS part, and for information, the protocol supports also a telemetry mechanism (RFC9244). Among things that can be reported as part of DOTS telemetry is the spoofing status of an address that is actively involved in an attack.  
 
Cheers,
Med
 
De : savnet <savnet-bounces@ietf.org> De la part de ???
Envoyé : samedi 24 septembre 2022 12:04
À : bgreene@senki.org
Cc : savnet@ietf.org
Objet : Re: [savnet] draft-cui-savnet-anti-ddos-00
 

Hi Barry,

 

Thanks for your suggestion.

 

In SADA, the SAV routers are designed not to simply discard the spoofed packets but to record the spoofing statistics and behaviors, which we regard as a honeynet. Compared with existing honeynets, the SAV routers lack some lure and sacrifice mechanisms. If the terminology "honeynet" in SADA is considered unsuitable, we will remove it in the revised draft.


Netflow/IPFIX is a network traffic measurement technology that uses packet sampling to generate flow-level statistics that can be used to detect attacks. In addition, the DOTS WG(https://datatracker.ietf.org/wg/dots/about/" class="" rel="nofollow">https://datatracker.ietf.org/wg/dots/about/) has proposed a signaling architecture to detect, classify, traceback, and mitigate DDoS attacks. DOTS focuses on DDoS threat signals transmission under attack traffic congestion conditions. In comparison, the SADA collects statistics on every spoofed packet and is targeted for DDoS detection. Netflow/IPFIX and DOTS are both potential data collection methods for SADA.

 

 

Best,

Linbo Hui

 




-----原始邮件-----
发件人:"Barry Greene" <bgreene@senki.org>
发送时间:2022-09-20 09:45:58 (星期二)
收件人: "惠林博" <huilb@zgclab.edu.cn>
抄送: "savnet@ietf.org" <savnet@ietf.org>
主题: Re: [savnet] draft-cui-savnet-anti-ddos-00

 
Read through twice. I would suggestion more research into today’s operational realities. For example:
 
"A distributed DDoS detection mechanism based on honeynets.  The SADA introduces a SAV controller for gathering spoofing statistics from SAV routers that act as honeynets.”
 
This is active today through multiple HoneyNet projects. For context on today’s operational deployments, talk wot Q360 for a in China example.
 
“The SADA can detect DDoS attacks with a comprehensive analysis using aggregated information from distributed SAV routers.”
 
Isn’t that Netflow/IPFIX with open source and commercial telemetry systems? 
 
What is improving on what we have deployed today?
 
 


On Sep 20, 2022, at 8:36 AM, 惠林博 <huilb=40zgclab.edu.cn@dmarc.ietf.org> wrote:
 
Hi SAVNET Experts,

We have submitted a new draft: draft-cui-savnet-anti-ddos-00. The link is https://datatracker.ietf.org/doc/draft-cui-savnet-anti-ddos/" class="" rel="nofollow">https://datatracker.ietf.org/doc/draft-cui-savnet-anti-ddos/ 

The draft proposes the SAVA-based Anti-DDoS Architecture (SADA), which can efficiently detect, mitigate, and traceback Denial-of-Service (DDoS) attacks that spoof source addresses. The SADA consists of a distributed DDoS detection mechanism based on honeynets, a multi-stage DDoS mitigation mechanism, and a suspect-based DDoS traceback mechanism. By adopting the Source Address Validation Architecture (SAVA) of SAVNET and introducing the data plane and the control plane, the SADA makes minor changes to the SAVA while providing major benefits.

We'd be grateful if you could provide some feedback. Please let us know if you have any questions or comments about the draft.


Best regards

Linbo Hui
 
_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
-- 
savnet mailing list
savnet@ietf.org
https://www.ietf.org/mailman/listinfo/savnet" class="" rel="nofollow">https://www.ietf.org/mailman/listinfo/savnet

v2.23.0 | Report a Bug | By Email