Re: [Secdispatch] FW: New Version Notification for draft-faibish-iot-ddos-usecases-01.txt

Michael Richardson <> Wed, 22 January 2020 22:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 35725120091 for <>; Wed, 22 Jan 2020 14:05:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id blAyuf5VpsWx for <>; Wed, 22 Jan 2020 14:05:16 -0800 (PST)
Received: from ( [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0F4C3120041 for <>; Wed, 22 Jan 2020 14:05:15 -0800 (PST)
Received: from ( [IPv6:2607:f0b0:f:2::247]) by (Postfix) with ESMTP id C736E3897E; Wed, 22 Jan 2020 17:04:40 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by (Postfix) with ESMTP id 6AA6EC69; Wed, 22 Jan 2020 17:05:13 -0500 (EST)
From: Michael Richardson <>
In-Reply-To: <3d6e25481f044ea182fbfe06bf8ccd0c@x13pwdurdag1001.AMER.DELL.COM>
References: <> <3d6e25481f044ea182fbfe06bf8ccd0c@x13pwdurdag1001.AMER.DELL.COM>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.1.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Wed, 22 Jan 2020 17:05:13 -0500
Message-ID: <8545.1579730713@localhost>
Archived-At: <>
Subject: Re: [Secdispatch] FW: New Version Notification for draft-faibish-iot-ddos-usecases-01.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 22 Jan 2020 22:05:18 -0000

I took a quick look through your document.

<> wrote:
    > with prevention protocol. Last meeting TEEP decided not to pursue this
    > draft as part of the TEEP WG as out of scope. As a result I want to

It certainly does seem out of scope for TEEP.  SUIT maybe, but even there
that work has been done. Perhaps it belongs with the MUD work as motivational
evidence, but I don't see anything particularly new.

Or with the IoT Lifecycle Security work that I've suggested, but it would
still be motivational document, maybe some kind of BCP once other specs reach
RFC and we have some experience with them.

    > I want to ask a 15 minutes time slot in the secdispatch meeting during
    > the IETF 107 in Vancouver as well as presenting the python tool to be
    > used by other interested parties to test their own IoT devices. I will

I'm sure that the tool is very interesting, but I don't see why secdispatch
should care.  
I suggest that you might want to do a Happy Hackdemo presentation, or a screencast.

    > The tool is scanning any network protocol and open ports to check
    > vulnerability to be used by bad actors to start reflection DDoS attacks
    > from the device. The compliance tool runs Python code, to scan an IoT
    > device (local or external) for open ports, based on the most common 42
    > ports (TCP and UDP) used by IoTs. These port scan results are then

So, we've had tools like this for decades with mixed history of open source
and GPL and formerly this license and then another, and sometimes huge VC
behind them, and sometimes not.
The IETF doesn't standardized them, fund them, promote them, etc.

So unless the tool requires IANA actions, I don't see why it belongs here.
That's not to see it I'm un-interested, but it has no IETF-interest.
This feels like something that you write write a Usenet paper, NDSS,
PythonConf, ... paper for.  Or maybe just a really cool Screencast that you
upload to youtube.

    > compared with the MUD file that is provided by the user for the
    > specific IoT, since every MUD file is tailored to that specific
    > manufacturer’s IoT model. The source-ports (TCP and UDP) mentioned in
    > the MUD are extracted by the Python program and then compared against
    > the 42 ports scanned earlier. There is also a MUD visualizer, that
    > takes in a MUD file and shows the incoming and outgoing traffic based
    > on the JSON MUD file. You may also make a MUD file.

    > Thank you very much for your support

    > Name: draft-faibish-iot-ddos-usecases Revision: 01 Title: Usecases
    > definition for IoT DDoS attacks prevention Document date: 2019-12-25
    > Group: Individual Submission Pages: 9 URL:
    > Status:
    > Htmlized:
    > Htmlized:
    > Diff:

    > Abstract: This document specifies several usecases related to the
    > different ways IoT devices are exploited by malicious adversaries to
    > instantiate Distributed Denial of Services (DDoS) attacks. The attacks
    > are generted from IoT devices that have no proper protection against
    > generating unsolicited communication messages targeting a certain
    > network and creating large amounts of network traffic. The attackers
    > take advantage of breaches in the configuration data in unprotected IoT
    > devices exploited for DDoS attacks. The attackers take advantage of the
    > IoT devices that can send network packets that were generated by
    > malicious code that interacts with an OS implementation that runs on
    > the IoT devices. The prupose of this draft is to present possible IoT
    > DDoS usecases that need to be prevented by TEE. The major enabler of
    > such attacks is related to IoT devices that have no OS or unprotected
    > EE OS and run code that is downloaded to them from the TA and modified
    > by man-in-the-middle that inserts malicious code in the OS.


    > Please note that it may take a couple of minutes from the time of
    > submission until the htmlized version and diff are available at

    > The IETF Secretariat

    > _______________________________________________ Secdispatch mailing
    > list