[Secdispatch] New Draft Notification for draft-faibish-iot-ddos-usecases-01.txt

<Faibish.Sorin@dell.com> Wed, 22 January 2020 21:42 UTC

Return-Path: <Faibish.Sorin@dell.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6F3F120091 for <secdispatch@ietfa.amsl.com>; Wed, 22 Jan 2020 13:42:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dell.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UNMf8wfyY5K9 for <secdispatch@ietfa.amsl.com>; Wed, 22 Jan 2020 13:42:43 -0800 (PST)
Received: from mx0a-00154904.pphosted.com (mx0a-00154904.pphosted.com [148.163.133.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D291E12001B for <secdispatch@ietf.org>; Wed, 22 Jan 2020 13:42:43 -0800 (PST)
Received: from pps.filterd (m0170390.ppops.net [127.0.0.1]) by mx0a-00154904.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 00MLU8cI024226 for <secdispatch@ietf.org>; Wed, 22 Jan 2020 16:42:43 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dell.com; h=from : to : cc : subject : date : message-id : content-type : content-transfer-encoding : mime-version; s=smtpout1; bh=633E37+DT9bZk95z2L84RnQvjy2rYy6K8L5zRJ5mSlE=; b=TBcKGWmhpt4vti7miY8xUf21Y4/rsBQ+ygOC/rCait7wpjNRw/F9xniBef/5sonQWImY 4wyAfdmZ7gQAbV9lqYiFn/vxwbd8/WJ43txDNqAu1GgmevekFrYB3TB4MviC/jAi6+lV 59twbk28E7wuQNHGnjX54FVCbJJscDoc47DNvLEs+wZfQbmE81IO8ojbC8FTPCIAZLaX pYoBrjd823ePoEV1Tmfw4m8vru2u/fBwb972kU9DW1f+meoByT9I2hbnZOKo9wj54b01 RzW8SzEt/UtnOkseS5S0mmBNJRno4duYFBe7OFJZP4UpxoBzEVSPrwcspzwIdmX9Stlq XA==
Received: from mx0b-00154901.pphosted.com (mx0b-00154901.pphosted.com [67.231.157.37]) by mx0a-00154904.pphosted.com with ESMTP id 2xkwy7apjj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <secdispatch@ietf.org>; Wed, 22 Jan 2020 16:42:43 -0500
Received: from pps.filterd (m0144102.ppops.net [127.0.0.1]) by mx0b-00154901.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 00MLSPQw181656 for <secdispatch@ietf.org>; Wed, 22 Jan 2020 16:42:42 -0500
Received: from ausxippc101.us.dell.com (ausxippc101.us.dell.com [143.166.85.207]) by mx0b-00154901.pphosted.com with ESMTP id 2xps555aw8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <secdispatch@ietf.org>; Wed, 22 Jan 2020 16:42:42 -0500
X-LoopCount0: from 10.166.132.195
X-PREM-Routing: D-Outbound
X-IronPort-AV: E=Sophos;i="5.60,346,1549951200"; d="scan'208";a="1350186108"
From: <Faibish.Sorin@dell.com>
To: <secdispatch@ietf.org>
CC: <Kathleen.Moriarty@dell.com>
Thread-Topic: New Draft Notification for draft-faibish-iot-ddos-usecases-01.txt
Thread-Index: AdXRbNx/hkX8iruETDWX4ppimBDk7A==
Date: Wed, 22 Jan 2020 21:42:39 +0000
Message-ID: <0714fc59468c496c9f49ab30a222eb80@x13pwdurdag1001.AMER.DELL.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Enabled=True; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_SiteId=945c199a-83a2-4e80-9f8c-5a91be5752dd; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Owner=faibish_sorin@emc.com; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_SetDate=2020-01-22T21:03:30.8708167Z; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Name=External Public; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Application=Microsoft Azure Information Protection; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Extended_MSFT_Method=Manual; aiplabel=External Public
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.146.130.80]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.572 definitions=2020-01-22_08:2020-01-22, 2020-01-22 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 spamscore=0 adultscore=0 priorityscore=1501 bulkscore=0 mlxlogscore=999 clxscore=1015 impostorscore=0 lowpriorityscore=0 malwarescore=0 phishscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-2001220182
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 mlxlogscore=999 phishscore=0 clxscore=1015 priorityscore=1501 mlxscore=0 suspectscore=0 bulkscore=0 adultscore=0 spamscore=0 lowpriorityscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-2001220182
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/Ij4SGpefIqiM4FO6eQaIvmAFyeY>
Subject: [Secdispatch] New Draft Notification for draft-faibish-iot-ddos-usecases-01.txt
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2020 21:42:48 -0000

Dear secdispatch chairs,

For the last year I worked on this draft defining usecases of IoT devices exploited for DDoS attacks in the TEEP WG. The purpose of the draft is to present the problem and if approved to write a second draft with prevention protocol. Last meeting TEEP decided not to pursue this draft as part of the TEEP WG as out of scope. As a result I want to make the case so this protocol proposal to become a secdispatch draft. During the work on this draft I also started to build a tool that will allow checking IoT devices vulnerability to be used to check potential opportunity to use the specific IoT devices as means for DDoS attacks. I tested the first version at the Hackathon at IETF 105 in Montreal within the TEEP WG but there were no IoT devices prototypes at hackathon so, I was only able to self test. 

The python test tool is scanning any network protocol and open ports to check vulnerability to be used by bad actors to start reflection DDoS attacks from the device. The compliance tool runs Python code, to scan an IoT device (local or external) for open ports, based on the most common 42 ports (TCP and UDP) used by IoTs. These port scan results are then compared with the MUD file that is provided by the user for the specific IoT, since every MUD file is tailored to that specific manufacturer’s IoT model. The source-ports (TCP and UDP) mentioned in the MUD are extracted by the Python program and then compared against the 42 ports scanned earlier. There is also a MUD visualizer, that takes in a MUD file and shows the incoming and outgoing traffic based on the JSON MUD file. You may also make a MUD file.

Thank you very much for your support

./Sorin

-----Original Message-----
From: internet-drafts@ietf.org <internet-drafts@ietf.org> 
Sent: Wednesday, December 25, 2019 4:09 PM
To: faibish, sorin
Subject: New Version Notification for draft-faibish-iot-ddos-usecases-01.txt


[EXTERNAL EMAIL] 


A new version of I-D, draft-faibish-iot-ddos-usecases-01.txt
has been successfully submitted by Sorin Faibish and posted to the IETF repository.

Name:		draft-faibish-iot-ddos-usecases
Revision:	01
Title:		Usecases definition for IoT DDoS attacks prevention
Document date:	2019-12-25
Group:		Individual Submission
Pages:		9
URL:            https://www.ietf.org/internet-drafts/draft-faibish-iot-ddos-usecases-01.txt
Status:         https://datatracker.ietf.org/doc/draft-faibish-iot-ddos-usecases/
Htmlized:       https://tools.ietf.org/html/draft-faibish-iot-ddos-usecases-01
Htmlized:       https://datatracker.ietf.org/doc/html/draft-faibish-iot-ddos-usecases
Diff:           https://www.ietf.org/rfcdiff?url2=draft-faibish-iot-ddos-usecases-01

Abstract:
   This document specifies several usecases related to the different
   ways IoT devices are exploited by malicious adversaries to
   instantiate Distributed Denial of Services (DDoS) attacks. The
   attacks are generted from IoT devices that have no proper protection
   against generating unsolicited communication messages targeting a
   certain network and creating large amounts of network traffic. The
   attackers take advantage of breaches in the configuration data in
   unprotected IoT devices exploited for DDoS attacks. The attackers
   take advantage of the IoT devices that can send network packets
   that were generated by malicious code that interacts with an OS
   implementation that runs on the IoT devices. The prupose of this
   draft is to present possible IoT DDoS usecases that need to be
   prevented by TEE. The major enabler of such attacks is related to
   IoT devices that have no OS or unprotected EE OS and run
   code that is downloaded to them from the TA and modified by
   man-in-the-middle that inserts malicious code in the OS.

                                                                                  


Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat