[Secdispatch] FW: New Version Notification for draft-faibish-iot-ddos-usecases-01.txt

<Faibish.Sorin@dell.com> Wed, 22 January 2020 21:03 UTC

Return-Path: <Faibish.Sorin@dell.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57D6B120885 for <secdispatch@ietfa.amsl.com>; Wed, 22 Jan 2020 13:03:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dell.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DAKCsJt9e_Ns for <secdispatch@ietfa.amsl.com>; Wed, 22 Jan 2020 13:03:37 -0800 (PST)
Received: from mx0a-00154904.pphosted.com (mx0a-00154904.pphosted.com [148.163.133.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DD5E12087B for <secdispatch@ietf.org>; Wed, 22 Jan 2020 13:03:37 -0800 (PST)
Received: from pps.filterd (m0170391.ppops.net [127.0.0.1]) by mx0a-00154904.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 00ML0A3u021836 for <secdispatch@ietf.org>; Wed, 22 Jan 2020 16:03:36 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dell.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=smtpout1; bh=OUJRlagidexg/orD8XqCrp9TL2EVk3Oznr1Hbg+TwUE=; b=M6221PMMHjgEMln+lEY07VXPJUnvd/mu9kCTF0eot4x8kcb7SPQijfHHkzDDjNXsUPj3 Fep7BrvRu0RM/7+yoqtdnHBYbz+GmtK+f1Eas4zFJeUsdNlhadeTIg0hfSBYJ2pvWK9x cUPxThbnErrYueiwcX1hLj8jjbrUCLdeQyNpmYP5OaLMgFml0TlqdCnLyNVsymiyYOMq m1SO9PlkvrIvD99LdCQ2JN1HvRzdB1S6zACs4a3DsshysYtJYv/d5pyXAa4QcPU2tFwh CNW6TDDkNZpo4U4bOITG7ZEF1X1gaZCk01hN/tOBfOwHQqn62Vp7gIWOnX7Nj0GseefK XQ==
Received: from mx0a-00154901.pphosted.com (mx0a-00154901.pphosted.com [67.231.149.39]) by mx0a-00154904.pphosted.com with ESMTP id 2xpv9h0e6x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <secdispatch@ietf.org>; Wed, 22 Jan 2020 16:03:36 -0500
Received: from pps.filterd (m0134746.ppops.net [127.0.0.1]) by mx0a-00154901.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 00MKwMnX162020 for <secdispatch@ietf.org>; Wed, 22 Jan 2020 16:03:36 -0500
Received: from ausxippc110.us.dell.com (AUSXIPPC110.us.dell.com [143.166.85.200]) by mx0a-00154901.pphosted.com with ESMTP id 2xpt1k40sy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <secdispatch@ietf.org>; Wed, 22 Jan 2020 16:03:36 -0500
X-LoopCount0: from 10.166.132.128
X-PREM-Routing: D-Outbound
X-IronPort-AV: E=Sophos;i="5.60,349,1549951200"; d="scan'208";a="907418284"
From: <Faibish.Sorin@dell.com>
To: <secdispatch@ietf.org>
CC: <Kathleen.Moriarty@dell.com>
Thread-Topic: New Version Notification for draft-faibish-iot-ddos-usecases-01.txt
Thread-Index: AQHVu2eQmpLQttK5yE+1FHWFMMTBsqf3UwYw
Date: Wed, 22 Jan 2020 21:03:32 +0000
Message-ID: <3d6e25481f044ea182fbfe06bf8ccd0c@x13pwdurdag1001.AMER.DELL.COM>
References: <157730815035.29082.3329281957041349799.idtracker@ietfa.amsl.com>
In-Reply-To: <157730815035.29082.3329281957041349799.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Enabled=True; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_SiteId=945c199a-83a2-4e80-9f8c-5a91be5752dd; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Owner=faibish_sorin@emc.com; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_SetDate=2020-01-22T21:03:30.8708167Z; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Name=External Public; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Application=Microsoft Azure Information Protection; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Extended_MSFT_Method=Manual; aiplabel=External Public
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.146.130.80]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.572 definitions=2020-01-22_08:2020-01-22, 2020-01-22 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 adultscore=0 impostorscore=0 suspectscore=0 mlxlogscore=999 lowpriorityscore=0 spamscore=0 mlxscore=0 priorityscore=1501 clxscore=1015 phishscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-2001220179
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 impostorscore=0 mlxscore=0 malwarescore=0 priorityscore=1501 lowpriorityscore=0 clxscore=1015 phishscore=0 suspectscore=0 mlxlogscore=999 bulkscore=0 spamscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-2001220179
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/ZsTC-QY-Y1o3WolAL9hwP8XTRgw>
Subject: [Secdispatch] FW: New Version Notification for draft-faibish-iot-ddos-usecases-01.txt
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2020 21:03:39 -0000

Dear secdispatch chairs,

For the last year I worked on this draft defining usecases of IoT devices exploited for DDoS attacks in the TEEP WG. The purpose of the draft is to present the problem and if approved to write a second draft with prevention protocol. Last meeting TEEP decided not to pursue this draft as part of the TEEP WG as out of scope. As a result I want to make the case so this protocol proposal to become a secdispatch draft. During the work on this draft I also started to build a tool that will allow checking IoT devices vulnerability to be used to check potential opportunity to use the specific IoT devices as means for DDoS attacks. I tested the first version at the Hackathon at IETF 105 in Montreal within the TEEP WG but there were no IoT devices prototypes at hackathon so, I was only able to self test. 

I want to ask a 15 minutes time slot in the secdispatch meeting during the IETF 107 in Vancouver as well as presenting the python tool to be used by other interested parties to test their own IoT devices. I will again attend the Hackathon in Vancouver and check the IoT devices that will be brought by any WG. I will still attend the TEEP meetings as well. 

The tool is scanning any network protocol and open ports to check vulnerability to be used by bad actors to start reflection DDoS attacks from the device. The compliance tool runs Python code, to scan an IoT device (local or external) for open ports, based on the most common 42 ports (TCP and UDP) used by IoTs. These port scan results are then compared with the MUD file that is provided by the user for the specific IoT, since every MUD file is tailored to that specific manufacturer’s IoT model. The source-ports (TCP and UDP) mentioned in the MUD are extracted by the Python program and then compared against the 42 ports scanned earlier. There is also a MUD visualizer, that takes in a MUD file and shows the incoming and outgoing traffic based on the JSON MUD file. You may also make a MUD file.

Thank you very much for your support

./Sorin

-----Original Message-----
From: internet-drafts@ietf.org <internet-drafts@ietf.org> 
Sent: Wednesday, December 25, 2019 4:09 PM
To: faibish, sorin
Subject: New Version Notification for draft-faibish-iot-ddos-usecases-01.txt


[EXTERNAL EMAIL] 


A new version of I-D, draft-faibish-iot-ddos-usecases-01.txt
has been successfully submitted by Sorin Faibish and posted to the IETF repository.

Name:		draft-faibish-iot-ddos-usecases
Revision:	01
Title:		Usecases definition for IoT DDoS attacks prevention
Document date:	2019-12-25
Group:		Individual Submission
Pages:		9
URL:            https://www.ietf.org/internet-drafts/draft-faibish-iot-ddos-usecases-01.txt
Status:         https://datatracker.ietf.org/doc/draft-faibish-iot-ddos-usecases/
Htmlized:       https://tools.ietf.org/html/draft-faibish-iot-ddos-usecases-01
Htmlized:       https://datatracker.ietf.org/doc/html/draft-faibish-iot-ddos-usecases
Diff:           https://www.ietf.org/rfcdiff?url2=draft-faibish-iot-ddos-usecases-01

Abstract:
   This document specifies several usecases related to the different
   ways IoT devices are exploited by malicious adversaries to
   instantiate Distributed Denial of Services (DDoS) attacks. The
   attacks are generted from IoT devices that have no proper protection
   against generating unsolicited communication messages targeting a
   certain network and creating large amounts of network traffic. The
   attackers take advantage of breaches in the configuration data in
   unprotected IoT devices exploited for DDoS attacks. The attackers
   take advantage of the IoT devices that can send network packets
   that were generated by malicious code that interacts with an OS
   implementation that runs on the IoT devices. The prupose of this
   draft is to present possible IoT DDoS usecases that need to be
   prevented by TEE. The major enabler of such attacks is related to
   IoT devices that have no OS or unprotected EE OS and run
   code that is downloaded to them from the TA and modified by
   man-in-the-middle that inserts malicious code in the OS.

                                                                                  


Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat