Use Cases for DDoS Open Threat Signaling (DOTS) TelemetryNTT3-9-11, Midori-choTokyo180-8585Japanyuuhei.hayashi@gmail.comChina Mobile32, Xuanwumen WestBeijing100053Chinachenmeiling@chinamobile.comChina Mobile32, Xuanwumen WestBeijing100053Chinasuli@chinamobile.com
sec
dotsDDoS Open Threat Signaling (DOTS) telemetry enriches the base DOTS
protocols to assist the mitigator in using efficient DDoS attack
mitigation techniques in a network.
This document presents sample use cases for DOTS telemetry. It discusses what
components are deployed in the network, how they cooperate, and what
information is exchanged to effectively use these techniques.Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are candidates for any level of Internet
Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
() in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Revised BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Revised BSD License.
Table of Contents
. Introduction
. Terminology
. Telemetry Use Cases
. Mitigation Resources Assignment
. Mitigating Attack Flow of Top Talker Preferentially
. DMS Selection for Mitigation
. Path Selection for Redirection
. Short but Extreme Volumetric Attack Mitigation
. Selecting Mitigation Technique Based on Attack Type
. Detailed DDoS Mitigation Report
. Tuning Mitigation Resources
. Supervised Machine Learning of Flow Collector
. Unsupervised Machine Learning of Flow Collector
. Security Considerations
. IANA Considerations
. References
. Normative References
. Informative References
Acknowledgements
Authors' Addresses
IntroductionDistributed Denial-of-Service (DDoS) attacks, such as volumetric
attacks and resource-consuming attacks, are critical threats to be
handled by service providers. When such DDoS attacks occur, service
providers have to mitigate them immediately to protect or recover their
services.For service providers to immediately protect their network
services from DDoS attacks, DDoS mitigation needs to be highly
automated. To that aim, multivendor components involved in DDoS attack
detection and mitigation should cooperate and support standard
interfaces.DDoS Open Threat Signaling (DOTS) is a set of protocols for real-time
signaling, threat-handling requests, and data filtering between the
multivendor elements . DOTS telemetry enriches the DOTS protocols
with various telemetry attributes allowing optimal DDoS attack
mitigation .
This document presents sample use cases for DOTS telemetry to enhance the
overview and the purpose described in
.
This document also presents what components are deployed
in the network, how they cooperate, and what information is exchanged to
effectively use attack-mitigation techniques.TerminologyReaders should be familiar with the terms defined in , , and .In addition, this document uses the following terms:
Supervised Machine Learning:
A machine-learning
technique in which labeled data is used to train the algorithms (the
input and output data are known).
Unsupervised Machine Learning:
A machine-learning
technique in which unlabeled data is used to train the algorithms
(the data has no historical labels).
Telemetry Use CasesThis section describes DOTS telemetry use cases that use telemetry attributes
included in the DOTS telemetry specification .The following subsections assume that once the DOTS signal channel is
established, DOTS clients will proceed with the telemetry setup configuration
detailed in .
The following telemetry parameters are used:
"measurement-interval" defines the period during which percentiles
are computed.
"measurement-sample" defines the time distribution for
measuring values that are used to compute percentiles.
Mitigation Resources AssignmentMitigating Attack Flow of Top Talker PreferentiallySome transit providers have to mitigate large-scale DDoS
attacks using DDoS Mitigation Systems (DMSes) with limited
resources that are already deployed in their network. For example,
recently reported large DDoS attacks exceeded several Tbps
.This use case enables transit providers to use
their DMS efficiently under volume-based DDoS attacks whose volume
is more than the available capacity of the DMS. To enable this, the
attack traffic of top talkers is redirected to the DMS
preferentially by cooperation among forwarding nodes, flow
collectors, and orchestrators. gives an overview of this use case. provides an
example of a DOTS telemetry message body that is used to signal
top talkers (2001:db8:1::/48 and 2001:db8:2::/48).Mitigating Attack Flow of Top Talker Preferentially
(Internet Transit Provider)
+-----------+ +--------------+ SNMP or YANG/NETCONF
IPFIX +-----------+| DOTS | |<---
--->| Flow ||C<-->S| Orchestrator | BGP Flowspec
| collector |+ | |---> (Redirect)
+-----------+ +--------------+
+-------------+
IPFIX +-------------+| BGP Flowspec (Redirect)
<---| Forwarding ||<---
| nodes ||
| || DDoS Attack
[ Target(s) ]<==========================================
| ++=========================[top talker]
| || ++======================[top talker]
+----|| ||----+
|| ||
|| ||
|/ |/
+----x--x----+
| DDoS | SNMP or YANG/NETCONF
| mitigation |<---
| system |
+------------+
C: DOTS client functionality
S: DOTS server functionality
Example of Message Body to Signal Top Talkers
{
"ietf-dots-telemetry:telemetry": {
"pre-or-ongoing-mitigation": [
{
"target": {
"target-prefix": [
"2001:db8::1/128"
]
},
"total-attack-traffic-protocol": [
{
"protocol": 17,
"unit": "megabit-ps",
"mid-percentile-g": "900"
}
],
"attack-detail": [
{
"vendor-id": 32473,
"attack-id": 77,
"start-time": "1645057211",
"attack-severity": "high",
"top-talker":{
"talker": [
{
"source-prefix": "2001:db8:1::/48",
"total-attack-traffic": [
{
"unit": "megabit-ps",
"mid-percentile-g": "100"
}
]
},
{
"source-prefix": "2001:db8:2::/48",
"total-attack-traffic": [
{
"unit": "megabit-ps",
"mid-percentile-g": "90"
}
]
}
]
}
}
]
}
]
}
}
The forwarding nodes send traffic statistics to the flow collectors, e.g.,
using IP Flow Information Export (IPFIX) . When DDoS attacks occur, the flow collectors identify the
attack traffic and send information about the top talkers to the orchestrator
using the "target-prefix" and "top-talkers" DOTS telemetry attributes. The
orchestrator then checks the available capacity of the DMSes using a
network management protocol, such as the Simple Network Management Protocol
(SNMP) or YANG with the Network
Configuration Protocol (YANG/NETCONF) . After that, the orchestrator orders the forwarding nodes
to redirect as much of the top talker's traffic to the DMSes as they can
handle by dissemination of Flow Specifications using tools such as Border
Gateway Protocol Dissemination of Flow Specification Rules (BGP Flowspec)
. The flow collector implements a DOTS client while the
orchestrator implements a DOTS server.DMS Selection for MitigationTransit providers can deploy their DMSes in clusters.
Then, they can select the DMS to be used to mitigate
a DDoS attack at the time of an attack.This use case enables transit providers to select a DMS with
sufficient capacity for mitigation based on the volume of the attack
traffic and the capacity of the DMS.
gives an overview of this use case.
provides an example of a DOTS telemetry message body that is used to
signal percentiles for total attack traffic.
DMS Selection for Mitigation
(Internet Transit Provider)
+-----------+ +--------------+ SNMP or YANG/NETCONF
IPFIX +-----------+| DOTS | |<---
--->| Flow ||C<-->S| Orchestrator | BGP (Redirect)
| collector |+ | |--->
+-----------+ +--------------+
+------------+
IPFIX +------------+| BGP (Redirect)
<---| Forwarding ||<---
| nodes ||
| || DDoS Attack
[Target A] | ++=================== [Destined for Target A]
[Target B] | || ++=============== [Destined for Target B]
+-||--||-----+
|| ||
++====++ || (congested DMS)
|| || +-----------+
|| |/ | DMS3 |
|| +-----x------+ |<--- SNMP or YANG/NETCONF
|/ | DMS2 |--------+
+--x---------+ |<--- SNMP or YANG/NETCONF
| DMS1 |------+
| |<--- SNMP or YANG/NETCONF
+------------+
C: DOTS client functionality
S: DOTS server functionality
Example of Message Body with Total Attack Traffic
{
"ietf-dots-telemetry:telemetry": {
"pre-or-ongoing-mitigation": [
{
"target": {
"target-prefix": [
"192.0.2.3/32"
]
},
"total-attack-traffic": [
{
"unit": "megabit-ps",
"low-percentile-g": "600",
"mid-percentile-g": "800",
"high-percentile-g": "1000",
"peak-g":"1100",
"current-g":"700"
}
]
}
]
}
}
The forwarding nodes send traffic statistics to the flow
collectors, e.g., using IPFIX. When DDoS attacks occur, the flow
collectors identify the attack traffic and send information about
the attack traffic volume to the orchestrator using the
"target-prefix" and "total-attack-traffic" DOTS telemetry
attributes. The orchestrator then checks the available capacity of
the DMSes using a network management protocol, such as the Simple
Network Management Protocol (SNMP) or YANG with the Network Configuration Protocol
(YANG/NETCONF) . After
that, the orchestrator selects a DMS with sufficient capacity to
which attack traffic should be redirected. For example, a simple
DMS selection algorithm can be used to choose a DMS whose available
capacity is greater than the "peak-g" telemetry attribute indicated in the
DOTS telemetry message. The orchestrator orders the appropriate
forwarding nodes to redirect the attack traffic to the DMS relying
upon routing policies, such as BGP . The detailed DMS selection algorithm is out of the scope of this
document.The flow collector implements a DOTS client while the
orchestrator implements a DOTS server.Path Selection for RedirectionA transit provider network has multiple paths to convey attack
traffic to a DMS. In such a network, the attack traffic can be
conveyed while avoiding congested links by adequately selecting an
available path.This use case enables transit providers to select a path with
sufficient bandwidth for redirecting attack traffic to a DMS
according to the bandwidth of the attack traffic and total
traffic. gives an overview of this
use case. provides an example
of a DOTS telemetry message body that is used to signal percentiles
for total traffic and total attack traffic.
Path Selection for Redirection
(Internet Transit Provider)
+-----------+ +--------------+ DOTS
+-----------+| | |S<---
IPFIX | Flow || DOTS | Orchestrator |
-->| collector ||C<-->S| | BGP Flowspec (Redirect)
| |+ | |--->
+-----------+ +--------------+
DOTS +------------+ DOTS +------------+ IPFIX
--->C| Forwarding | --->C| Forwarding |--->
BGP Flowspec | node | | node |
(Redirect) --->| | | | DDoS Attack
[Target] | ++====================================
+-------||---+ +------------+
|| /
|| / (congested link)
|| /
DOTS +-||----------------+ BGP Flowspec (Redirect)
--->C| || Forwarding |<---
| ++=== node |
+----||-------------+
|/
+--x-----------+
| DMS |
+--------------+
C: DOTS client functionality
S: DOTS server functionality
Example of Message Body with Total Attack Traffic and Total Traffic
{
"ietf-dots-telemetry:telemetry": {
"pre-or-ongoing-mitigation": [
{
"target": {
"target-prefix": [
"2001:db8::1/128"
]
},
"total-traffic": [
{
"unit": "megabit-ps",
"mid-percentile-g": "1300",
"peak-g": "800"
}
],
"total-attack-traffic": [
{
"unit": "megabit-ps",
"low-percentile-g": "600",
"mid-percentile-g": "800",
"high-percentile-g": "1000",
"peak-g": "1100",
"current-g": "700"
}
]
}
]
}
}
The forwarding nodes send traffic statistics to the flow collectors, e.g.,
using IPFIX. When DDoS attacks occur, the flow collectors identify attack
traffic and send information about the attack traffic volume to the
orchestrator using the "target-prefix" and "total-attack-traffic" DOTS
telemetry attributes. The underlying forwarding nodes send the volume of the
total traffic passing the node to the orchestrator using the
"total-traffic" telemetry attributes. The orchestrator then selects a path
with sufficient bandwidth to which the flow of attack traffic should be
redirected. For example, a simple selection algorithm can be used to
choose a path whose available capacity is greater than the "peak-g" telemetry attribute
that was indicated in a DOTS telemetry message. After that, the orchestrator
orders the appropriate forwarding nodes to redirect the attack traffic to the
DMS by dissemination of Flow Specifications using tools such as BGP Flowspec
.The detailed path selection algorithm is out of the scope of this
document.The flow collector and forwarding nodes implement a DOTS client
while the orchestrator implements a DOTS server.Short but Extreme Volumetric Attack MitigationShort but extreme volumetric attacks, such as pulse wave DDoS
attacks, are threats to Internet transit provider networks. These
attacks start from zero and go to maximum values in a very short
time span. The attacks go back to zero and then back to maximum
values, repeating in continuous cycles at short intervals. It is
difficult for transit providers to mitigate such an attack with
their DMSes by redirecting attack flows because this may cause route
flapping in the network. The practical way to mitigate short but
extreme volumetric attacks is to offload mitigation actions to a
forwarding node.This use case enables transit providers to mitigate short but
extreme volumetric attacks. Furthermore, the aim is to estimate the
network-access success rate based on the bandwidth of the attack
traffic. gives an overview of
this use case. provides an
example of a DOTS telemetry message body that is used to signal
total pipe capacity. provides
an example of a DOTS telemetry message body that is used to signal
various percentiles for total traffic and total attack traffic.
Short but Extreme Volumetric Attack Mitigation
(Internet Transit Provider)
+------------+ +----------------+
| Network | DOTS | Administrative | BGP Flowspec
Alert----->| Management |C<--->S| System | (Rate-Limit)
| System | | |--->
+------------+ +----------------+
BGP Flowspec
+------------+ +------------+ (Rate-Limit X bps)
| Forwarding | | Forwarding |<---
| node | | node |
Link1 | | | | DDoS & Normal traffic
[Target]<------------------------------------================
Pipe +------------+ +------------+ Attack Traffic
Capability Bandwidth
X bps Y bps
Network-access success rate
X / (X + Y)
C: DOTS client functionality
S: DOTS server functionality
Example of Message Body with Total Pipe Capacity
{
"ietf-dots-telemetry:telemetry-setup": {
"telemetry": [
{
"total-pipe-capacity": [
{
"link-id": "link1",
"capacity": "1000",
"unit": "megabit-ps"
}
]
}
]
}
}
Example of Message Body with Total Attack Traffic and Total Traffic
{
"ietf-dots-telemetry:telemetry": {
"pre-or-ongoing-mitigation": [
{
"target": {
"target-prefix": [
"2001:db8::1/128"
]
},
"total-traffic": [
{
"unit": "megabit-ps",
"mid-percentile-g": "800",
"peak-g": "1300"
}
],
"total-attack-traffic": [
{
"unit": "megabit-ps",
"low-percentile-g": "200",
"mid-percentile-g": "400",
"high-percentile-g": "500",
"peak-g": "600",
"current-g": "400"
}
]
}
]
}
}
When DDoS attacks occur, the network management system receives
alerts. Then, it sends the target IP address(es) and volume of the
DDoS attack traffic to the administrative system using the
"target-prefix" and "total-attack-traffic" DOTS telemetry
attributes. After that, the administrative system orders relevant
forwarding nodes to carry out rate-limiting of all traffic destined
to the target based on the pipe capability by the dissemination of
the Flow Specifications using tools such as BGP Flowspec . In addition, the
administrative system estimates the network-access success rate of
the target, which is calculated by (total-pipe-capability /
(total-pipe-capability + total-attack-traffic)). Note that total pipe capability information can be gathered by
telemetry setup in advance ().The network management system implements a DOTS client
while the administrative system implements a DOTS server.Selecting Mitigation Technique Based on Attack TypeSome volumetric attacks, such as DNS amplification attacks, can be
detected with high accuracy by checking the Layer 3 or Layer 4
information of attack packets. These attacks can be detected and
mitigated through cooperation among forwarding nodes and flow
collectors using IPFIX. It may also be necessary to inspect the Layer 7
information of suspicious packets to detect attacks such as DNS
water torture attacks .
To carry out the DNS water torture attack,
an attacker commands a botnet to make thousands of DNS requests
for fake subdomains against an authoritative name server.
Such attack traffic should be detected and mitigated at the DMS.This use case enables transit providers to select
a mitigation technique based on the type of attack traffic, whether it is an amplification attack or not. To use such a technique, the attack
traffic is blocked by forwarding nodes or redirected to a DMS based
on the attack type through cooperation among forwarding nodes, flow
collectors, and an orchestrator. gives an overview of this
use case. provides an example of
attack mappings that are shared using the DOTS data channel in
advance. provides an example
of a DOTS telemetry message body that is used to signal percentiles
for total attack traffic, total attack traffic protocol, and total
attack connection; it also shows attack details.
The example in uses the folding defined in
for long lines. Selecting Mitigation Technique Based on Attack Type
(Internet Transit Provider)
+-----------+ DOTS +--------------+
+-----------+|<---->| | BGP (Redirect)
IPFIX | Flow ||C S| Orchestrator | BGP Flowspec (Drop)
--->| collector |+ | |--->
+-----------+ +--------------+
+------------+ BGP (Redirect)
IPFIX +------------+| BGP Flowspec (Drop)
<---| Forwarding ||<---
| nodes || DDoS Attack
| ++=====||================
| || ||x<==============[DNS Amp]
| || |+x<==============[NTP Amp]
+-----||-----+
||
|/
+-----x------+
| DDoS |
| mitigation |
| system |
+------------+
C: DOTS client functionality
S: DOTS server functionality
DNS Amp: DNS Amplification
NTP Amp: NTP Amplification
Example of Message Body with Attack Mappings=============== NOTE: '\' line wrapping per RFC 8792 ================
{
"ietf-dots-mapping:vendor-mapping": {
"vendor": [
{
"vendor-id": 32473,
"vendor-name": "mitigator-c",
"last-updated": "1629898958",
"attack-mapping": [
{
"attack-id": 77,
"attack-description": "DNS amplification Attack: \
This attack is a type of reflection attack in which attackers \
spoof a target's IP address. The attackers abuse vulnerabilities \
in DNS servers to turn small queries into larger payloads."
},
{
"attack-id": 92,
"attack-description":"NTP amplification Attack: \
This attack is a type of reflection attack in which attackers \
spoof a target's IP address. The attackers abuse vulnerabilities \
in NTP servers to turn small queries into larger payloads."
}
]
}
]
}
}
Example of Message Body with Total Attack Traffic, Total Attack Traffic Protocol, Total Attack Connection, and Attack Detail
{
"ietf-dots-telemetry:telemetry": {
"pre-or-ongoing-mitigation": [
{
"target": {
"target-prefix": [
"2001:db8::1/128"
]
},
"total-attack-traffic": [
{
"unit": "megabit-ps",
"low-percentile-g": "600",
"mid-percentile-g": "800",
"high-percentile-g": "1000",
"peak-g": "1100",
"current-g": "700"
}
],
"total-attack-traffic-protocol": [
{
"protocol": 17,
"unit": "megabit-ps",
"mid-percentile-g": "500"
},
{
"protocol": 15,
"unit": "megabit-ps",
"mid-percentile-g": "200"
}
],
"total-attack-connection": [
{
"mid-percentile-l": [
{
"protocol": 15,
"connection": 200
}
],
"high-percentile-l": [
{
"protocol": 17,
"connection": 300
}
]
}
],
"attack-detail": [
{
"vendor-id": 32473,
"attack-id": 77,
"start-time": "1641169211",
"attack-severity": "high"
},
{
"vendor-id": 32473,
"attack-id": 92,
"start-time": "1641172809",
"attack-severity": "high"
}
]
}
]
}
}
Attack mappings are shared using the DOTS data channel in
advance (). The forwarding nodes send traffic statistics to
the flow collectors, e.g., using IPFIX. When DDoS attacks occur, the
flow collectors identify attack traffic and send attack type
information to the orchestrator using the "vendor-id" and
"attack-id" telemetry attributes. The orchestrator then resolves
abused port numbers and orders relevant forwarding nodes to block
the amplification attack traffic flow by dissemination of Flow
Specifications using tools such as BGP Flowspec . Also, the orchestrator orders
relevant forwarding nodes to redirect traffic other than the
amplification attack traffic using a routing protocol, such as
BGP .The flow collector implements a DOTS client while the
orchestrator implements a DOTS server.Detailed DDoS Mitigation ReportIt is possible for the transit provider to add value to the DDoS
mitigation service by reporting ongoing and detailed DDoS
countermeasure status to the enterprise network. In addition, it is
possible for the transit provider to know whether the DDoS countermeasure
is effective or not by receiving reports from the enterprise
network.This use case enables the mutual sharing of information about ongoing DDoS
countermeasures between the transit provider and the enterprise network.
gives an overview of this use case. provides an example of a DOTS telemetry message body
that is used to signal total pipe capacity from the enterprise network
administrator to the orchestrator in the ISP.
provides an example of a DOTS telemetry message body that is used to signal
percentiles for total traffic and total attack traffic as well as attack
details from the orchestrator to the network.
Detailed DDoS Mitigation Report
+------------------+ +------------------------+
| Enterprise | | Upstream |
| Network | | Internet Transit |
| +------------+ | | Provider |
| | Network |C | | S+--------------+ |
| | admini- |<-----DOTS---->| Orchestrator | |
| | strator | | | +--------------+ |
| +------------+ | | C ^ |
| | | | DOTS |
| | | S v |
| | | +---------------+ DDoS Attack
| | | | DMS |+=======
| | | +---------------+ |
| | | || Clean |
| | | |/ Traffic |
| +---------+ | | +---------------+ |
| | DDoS | | | | Forwarding | Normal Traffic
| | Target |<================| Node |========
| +---------+ | Link1 | +---------------+ |
+------------------+ +------------------------+
C: DOTS client functionality
S: DOTS server functionality
Example of Message Body with Total Pipe Capacity
{
"ietf-dots-telemetry:telemetry-setup": {
"telemetry": [
{
"total-pipe-capacity": [
{
"link-id": "link1",
"capacity": "1000",
"unit": "megabit-ps"
}
]
}
]
}
}
Example of Message Body with Total Traffic, Total Attack Traffic, and Attack Detail
{
"ietf-dots-telemetry:telemetry": {
"pre-or-ongoing-mitigation": [
{
"tmid": 567,
"target": {
"target-prefix": [
"2001:db8::1/128"
]
},
"target-protocol": [
17
],
"total-traffic": [
{
"unit": "megabit-ps",
"mid-percentile-g": "800"
}
],
"total-attack-traffic": [
{
"unit": "megabit-ps",
"mid-percentile-g": "100"
}
],
"attack-detail": [
{
"vendor-id": 32473,
"attack-id": 77,
"start-time": "1644819611",
"attack-severity": "high"
}
]
}
]
}
}
The network management system in the enterprise network reports
limits of incoming traffic volume from the transit provider to the
orchestrator in the transit provider in advance. It is reported
using the "total-pipe-capacity" telemetry attribute in the DOTS telemetry
setup.When DDoS attacks occur, DDoS mitigation orchestration is carried out in the transit provider. Then,
the DDoS mitigation systems report the status of DDoS countermeasures
to the orchestrator by sending "attack-detail" telemetry attributes.
After that, the orchestrator integrates the reports from the DDoS
mitigation systems, while removing duplicate contents, and sends the integrated report to a
network administrator using DOTS telemetry periodically.During the DDoS mitigation, the orchestrator in the transit
provider retrieves the link congestion status from the network manager in
the enterprise network using the "total-traffic" telemetry attributes.
Then, the orchestrator checks whether or not the DDoS countermeasures are
effective by comparing the "total-traffic" and the
"total-pipe-capacity" telemetry attributes.The DMS implements a DOTS server while the orchestrator behaves as
a DOTS client and a server in the transit provider. In addition, the
network administrator implements a DOTS client.Tuning Mitigation ResourcesSupervised Machine Learning of Flow CollectorDDoS detection based on tools, such as IPFIX, is a lighter-weight
method of detecting DDoS attacks compared to DMSes in Internet transit
provider networks. DDoS detection based on the
DMSes is a more accurate method for detecting attack traffic
than flow monitoring.The aim of this use case is to increase flow collectors'
detection accuracy by carrying out supervised machine-learning
techniques according to attack detail reported by the DMSes. To use
such a technique, forwarding nodes, flow collectors, and a DMS
should cooperate. gives an
overview of this use case.
provides an example of a DOTS telemetry message body that is used to
signal attack detail.
Supervised Machine Learning of Flow Collector
+-----------+
+-----------+| DOTS
IPFIX | Flow ||S<---
--->| collector ||
+-----------++
+------------+
IPFIX +------------+|
<---| Forwarding ||
| nodes || DDoS Attack
[ Target ] | ++==============================
| || ++===========================
| || || ++========================
+---||-|| ||-+
|| || ||
|/ |/ |/
DOTS +---X--X--X--+
--->C| DDoS |
| mitigation |
| system |
+------------+
C: DOTS client functionality
S: DOTS server functionality
Example of Message Body with Attack Detail and Top Talkers
{
"ietf-dots-telemetry:telemetry": {
"pre-or-ongoing-mitigation": [
{
"target": {
"target-prefix": [
"2001:db8::1/128"
]
},
"attack-detail": [
{
"vendor-id": 32473,
"attack-id": 77,
"start-time": "1634192411",
"attack-severity": "high",
"top-talker": {
"talker": [
{
"source-prefix": "2001:db8::2/127"
}
]
}
}
]
}
]
}
}
The forwarding nodes send traffic statistics to the flow
collectors, e.g., using IPFIX. When DDoS attacks occur, DDoS
mitigation orchestration is carried out (as per ), and the DMS mitigates all attack traffic
destined for a target. The DDoS mitigation system reports the
"vendor-id", "attack-id", and "top-talker" telemetry attributes to a
flow collector.After mitigating a DDoS attack, the flow collector attaches
outputs of the DMS as labels to the statistics of the traffic flow of top talkers.
The outputs, for example, are the "attack-id" telemetry attributes.
The flow collector then carries out supervised machine learning to
increase its detection accuracy, setting the statistics as an
explanatory variable and setting the labels as an objective
variable.The DMS implements a DOTS client while the flow collector
implements a DOTS server.Unsupervised Machine Learning of Flow CollectorDMSes can detect DDoS attack traffic, which means DMSes can also
identify clean traffic. This use case supports unsupervised
machine learning for anomaly detection according to a baseline
reported by the DMSes. To use such a technique, forwarding nodes,
flow collectors, and a DMS should cooperate. gives an overview of this use
case. provides an example of a DOTS telemetry message body
that is used to signal baseline.Unsupervised Machine Learning of Flow Collector
+-----------+
+-----------+|
DOTS | Flow ||
--->S| collector ||
+-----------++
+------------+
+------------+|
| Forwarding ||
| nodes || Traffic
[ Destination ] <== =============++==============================
| || ||
| || |+
+---||-------+
||
|/
DOTS +---X--------+
--->C| DDoS |
| mitigation |
| system |
+------------+
C: DOTS client functionality
S: DOTS server functionality
Example of Message Body with Traffic Baseline
{
"ietf-dots-telemetry:telemetry-setup": {
"telemetry": [
{
"baseline": [
{
"id": 1,
"target-prefix": [
"2001:db8:6401::1/128"
],
"target-port-range": [
{
"lower-port": "53"
}
],
"target-protocol": [
17
],
"total-traffic-normal": [
{
"unit": "megabit-ps",
"low-percentile-g": "30",
"mid-percentile-g": "50",
"high-percentile-g": "60",
"peak-g": "70"
}
]
}
]
}
]
}
}
The forwarding nodes carry out traffic mirroring to copy the traffic
destined to an IP address and to monitor the traffic by a DMS. The DMS then
identifies clean traffic and reports the baseline telemetry attributes to the
flow collector using DOTS telemetry.The flow collector then carries out unsupervised machine
learning to be able to carry out anomaly detection.The DMS implements a DOTS client while the flow collector
implements a DOTS server.Security ConsiderationsSecurity considerations for DOTS telemetry are discussed in . These considerations
apply to the communication interfaces where DOTS is used. Some use cases involve controllers, orchestrators, and programmable
interfaces. These interfaces can be misused by misbehaving nodes to
further exacerbate DDoS attacks. The considerations are for end-to-end
systems for DoS mitigation, so the mechanics are outside the scope of
DOTS protocols.
discusses some generic security considerations to take into account in
such contexts (e.g., reliable access control). Specific security
measures depend on the actual mechanism used to control underlying
forwarding nodes and other controlled elements. For example, discusses security
considerations that are relevant to BGP Flowspec. IPFIX-specific
considerations are discussed in .IANA ConsiderationsThis document has no IANA actions.ReferencesNormative ReferencesDistributed Denial-of-Service Open Threat Signaling (DOTS) TelemetryThis document aims to enrich the Distributed Denial-of-Service Open Threat Signaling (DOTS) signal channel protocol with various telemetry attributes, allowing for optimal Distributed Denial-of-Service (DDoS) attack mitigation. It specifies the normal traffic baseline and attack traffic telemetry attributes a DOTS client can convey to its DOTS server in the mitigation request, the mitigation status telemetry attributes a DOTS server can communicate to a DOTS client, and the mitigation efficacy telemetry attributes a DOTS client can communicate to a DOTS server. The telemetry attributes can assist the mitigator in choosing the DDoS mitigation techniques and performing optimal DDoS attack mitigation.This document specifies two YANG modules: one for representing DOTS telemetry message types and one for sharing the attack mapping details over the DOTS data channel.Informative ReferencesA Large Scale Analysis of DNS Water Torture AttackCSAI '18: Proceedings of the 2018 2nd International
Conference on Computer Science and Artificial Intelligence,
pp. 168-173DDoS Open Threat Signaling (DOTS)Simple Network Management Protocol (SNMP) ApplicationsThis document describes five types of Simple Network Management Protocol (SNMP) applications which make use of an SNMP engine as described in STD 62, RFC 3411. The types of application described are Command Generators, Command Responders, Notification Originators, Notification Receivers, and Proxy Forwarders. This document also defines Management Information Base (MIB) modules for specifying targets of management operations, for notification filtering, and for proxy forwarding. This document obsoletes RFC 2573. [STANDARDS-TRACK]A Border Gateway Protocol 4 (BGP-4)This document discusses the Border Gateway Protocol (BGP), which is an inter-Autonomous System routing protocol.The primary function of a BGP speaking system is to exchange network reachability information with other BGP systems. This network reachability information includes information on the list of Autonomous Systems (ASes) that reachability information traverses. This information is sufficient for constructing a graph of AS connectivity for this reachability from which routing loops may be pruned, and, at the AS level, some policy decisions may be enforced.BGP-4 provides a set of mechanisms for supporting Classless Inter-Domain Routing (CIDR). These mechanisms include support for advertising a set of destinations as an IP prefix, and eliminating the concept of network "class" within BGP. BGP-4 also introduces mechanisms that allow aggregation of routes, including aggregation of AS paths.This document obsoletes RFC 1771. [STANDARDS-TRACK]Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow InformationThis document specifies the IP Flow Information Export (IPFIX) protocol, which serves as a means for transmitting Traffic Flow information over the network. In order to transmit Traffic Flow information from an Exporting Process to a Collecting Process, a common representation of flow data and a standard means of communicating them are required. This document describes how the IPFIX Data and Template Records are carried over a number of transport protocols from an IPFIX Exporting Process to an IPFIX Collecting Process. This document obsoletes RFC 5101.Software-Defined Networking: A Perspective from within a Service Provider EnvironmentSoftware-Defined Networking (SDN) has been one of the major buzz words of the networking industry for the past couple of years. And yet, no clear definition of what SDN actually covers has been broadly admitted so far. This document aims to clarify the SDN landscape by providing a perspective on requirements, issues, and other considerations about SDN, as seen from within a service provider environment.It is not meant to endlessly discuss what SDN truly means but rather to suggest a functional taxonomy of the techniques that can be used under an SDN umbrella and to elaborate on the various pending issues the combined activation of such techniques inevitably raises. As such, a definition of SDN is only mentioned for the sake of clarification.The YANG 1.1 Data Modeling LanguageYANG is a data modeling language used to model configuration data, state data, Remote Procedure Calls, and notifications for network management protocols. This document describes the syntax and semantics of version 1.1 of the YANG language. YANG version 1.1 is a maintenance release of the YANG language, addressing ambiguities and defects in the original specification. There are a small number of backward incompatibilities from YANG version 1. This document also specifies the YANG mappings to the Network Configuration Protocol (NETCONF).DDoS Open Threat Signaling (DOTS) RequirementsThis document defines the requirements for the Distributed Denial-of- Service (DDoS) Open Threat Signaling (DOTS) protocols enabling coordinated response to DDoS attacks.Distributed Denial-of-Service Open Threat Signaling (DOTS) Data Channel SpecificationThe document specifies a Distributed Denial-of-Service Open Threat Signaling (DOTS) data channel used for bulk exchange of data that cannot easily or appropriately communicated through the DOTS signal channel under attack conditions.This is a companion document to "Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Channel Specification" (RFC 8782).Handling Long Lines in Content of Internet-Drafts and RFCsThis document defines two strategies for handling long lines in width-bounded text content. One strategy, called the "single backslash" strategy, is based on the historical use of a single backslash ('\') character to indicate where line-folding has occurred, with the continuation occurring with the first character that is not a space character (' ') on the next line. The second strategy, called the "double backslash" strategy, extends the first strategy by adding a second backslash character to identify where the continuation begins and is thereby able to handle cases not supported by the first strategy. Both strategies use a self-describing header enabling automated reconstitution of the original content.Use Cases for DDoS Open Threat SignalingThe DDoS Open Threat Signaling (DOTS) effort is intended to provide protocols to facilitate interoperability across disparate DDoS Mitigation solutions. This document presents sample use cases that describe the interactions expected between the DOTS components as well as DOTS messaging exchanges. These use cases are meant to identify the interacting DOTS components, how they collaborate, and what the typical information to be exchanged is.Dissemination of Flow Specification RulesThis document defines a Border Gateway Protocol Network Layer Reachability Information (BGP NLRI) encoding format that can be used to distribute (intra-domain and inter-domain) traffic Flow Specifications for IPv4 unicast and IPv4 BGP/MPLS VPN services. This allows the routing system to propagate information regarding more specific components of the traffic aggregate defined by an IP destination prefix.It also specifies BGP Extended Community encoding formats, which can be used to propagate Traffic Filtering Actions along with the Flow Specification NLRI. Those Traffic Filtering Actions encode actions a routing system can take if the packet matches the Flow Specification.This document obsoletes both RFC 5575 and RFC 7674.Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Channel SpecificationThis document specifies the Distributed Denial-of-Service Open Threat Signaling (DOTS) signal channel, a protocol for signaling the need for protection against Distributed Denial-of-Service (DDoS) attacks to a server capable of enabling network traffic mitigation on behalf of the requesting client.A companion document defines the DOTS data channel, a separate reliable communication layer for DOTS management and configuration purposes.This document obsoletes RFC 8782.AcknowledgementsThe authors would like to thank and for their valuable
feedback.Thanks to for the detailed AD
review.Many thanks to , , ,
and for their reviews.Thanks to , , ,
, and for the IESG review.Authors' AddressesNTT3-9-11, Midori-choTokyo180-8585Japanyuuhei.hayashi@gmail.comChina Mobile32, Xuanwumen WestBeijing100053Chinachenmeiling@chinamobile.comChina Mobile32, Xuanwumen WestBeijing100053Chinasuli@chinamobile.com