Internet DRAFT - draft-mglt-dots-use-cases
draft-mglt-dots-use-cases
DOTS D. Migault, Ed.
Internet-Draft Ericsson
Intended status: Informational April 20, 2015
Expires: October 22, 2015
DDoS Open Threat Signaling use cases
draft-mglt-dots-use-cases-00
Abstract
The document details use cases to mitigate DDoS attacks. These use
cases are expected to illustrates involved communications to detect
and mitigate DDoS attacks. It is expected that these communications
will be in the future handled by the DDoS Open Threat Signaling
(DOTS). These scenarios are intended to be useful to derive
requirements for the design of DDoS Open threat Signaling.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 22, 2015.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Migault Expires October 22, 2015 [Page 1]
Internet-Draft DOTS use cases April 2015
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology and Acronyms . . . . . . . . . . . . . . . . . . 3
3. On-premise use case . . . . . . . . . . . . . . . . . . . . . 4
3.1. Symmetric . . . . . . . . . . . . . . . . . . . . . . . . 5
3.2. Asymmetric . . . . . . . . . . . . . . . . . . . . . . . 8
4. Cloud Use Case . . . . . . . . . . . . . . . . . . . . . . . 10
5. Hybrid Cloud Use Case . . . . . . . . . . . . . . . . . . . . 11
6. Security Considerations . . . . . . . . . . . . . . . . . . . 12
7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12
10. Normative References . . . . . . . . . . . . . . . . . . . . 12
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction
DDoS is a major threat that affects any organizations of any size.
In addition, these attacks have become more and more frequent,
complex and sophisticated which makes DDoS attacks harder to be
detected at a single point.
More specifically, traditional SYN TCP or ICMP flood attacks were
relatively easy to detect at the border of the network by an on-
premise device. Although such DDoS attacks remain, DDoS attacks
become more and more applications specific. This results in more
specialized DDoS attacks, that require a fine grained monitoring to
detect suspicious traffic.
For example, DNS can be used as a channel to establish a
communication channel between a bot and its Command and Control (CC)
channel. A generic DNS flow traffic monitoring is not sufficient to
detect such attacks. Instead it may require monitoring FQDNs with
NXDOMAIN associated to behavioral traffic analysis. DNS(SEC) or NTP
are used to perform DDoS reflection attacks. Detection of these
attacks may involve monitoring how the source IP address may be
unusually associated to heavy traffic. That said, more specific
traffic monitoring and analysis is not sufficient when DDoS attacks
target a specific application. In the case of slowloris flows DDoS
attacks for example, the attacker initiates regular conversations
with the servers, except that it maintains these conversations open.
The use of TLS/DTLS makes on path monitoring impossible.
Migault Expires October 22, 2015 [Page 2]
Internet-Draft DOTS use cases April 2015
The complexity and the multitude of potential targets results in
making DDoS detection a distributed system over a network. Flood
attacks can be detected at the entrance of the network, SYN flood may
be detected by firewalls associated to behavioral analysis. TLS and
HTTP floods or low and slow and application based DDoS attacks are
expected to be detected on the server side.
The multitude of DDoS monitoring appliance requires coordination.
Coordination is necessary in order to manage the DDoS appliances as
well as to collect the various information provided by each appliance
and correlate these piece of information. Such correlation is
expected to provide early detection, as well as more accurate alarms.
Once a DDoS attack has been detected, the mitigation should proceed.
Mitigation could be handled locally or outsourced.
The document details use cases to mitigate DDoS attacks. These use
cases are expected to illustrates involved communications to detect
and mitigate DDoS attacks. It is expected that these communications
will be in the future handled by the DDoS Open Threat Signaling
(DOTS). These scenarios are intended to be useful to derive
requirements for the design of DDoS Open threat Signaling.
The document illustrates how DOTS makes possible DDoS to go beyond
the scope of an isolated appliance and :
- A) Make possible a global and cross layered DDoS Monitoring, to
make DDoS detection more accurate and earlier.
- B) Make possible a global and cross layer DDoS Mitigation, to
mitigate in an coherent and efficient way.
- C) Make possible to share monitored information between multiple
parties.
- D) Make possible to share and delegate DDoS monitoring and
mitigation to third party.
2. Terminology and Acronyms
- Deny of Service (DoS): is an attack that makes resource of a
service unavailable for its intended users. The resource may
be computing or networking resource.
- Distributed Deny of Service (DDoS): is a DoS attack where the
resources used by the attacker to perform the attack are
distributed.
Migault Expires October 22, 2015 [Page 3]
Internet-Draft DOTS use cases April 2015
- DDoS Monitoring: designates the ability to inspect and monitor
the traffic. This may include, exporting flow information to a
Flow Repository or generating an alarm to the DDoS Controller
when some threshold have been reached. In this document, DDoS
Monitoring represents indifferently either a specific and
dedicated DDoS Appliance, a virtual DDoS Appliance or a module.
- DDoS Mitigation: designates the ability to mitigate the DDoS
attack. This may include providing filtering rules for
example. In this document, DDoS Mitigation represents
indifferently either a specific and dedicated DDoS Appliance, a
virtual DDoS Appliance or a module.
- DDoS Controller: designates the entity that centralized
monitoring, the alarms received and provides the mitigation
actions. As DDoS attacks become more and more complex, a
single DDoS monitoring device become dedicated to limited
aspect of DDoS. As a result, these devices have only a
fractional view of the ongoing activity. On the other hand,
the DDoS Controller can aggregate and correlate this
information have as such has a global view of the attacks. As
result the DDoS Controller is more likely to take the
appropriated decision to mitigate the attack.
- DDoS Appliance: designates an appliance that embeds DDoS
Monitoring and/or DDoS Mitigation function. In this document,
DDoS Appliance can be indifferently a hardware or virtual
virtual DDoS Appliance.
- Flow Repository: designates the entity that centralized all the
flow information. The Repository, may be shared between
various entities and third parties. In fact, it is expected
that information could be shared between independent actors, in
order to mitigate DDoS Internet wild.
- Service: designates the destination of the traffic and the
service that is under attack.
3. On-premise use case
The on-premise uses cases describe scenarios where DDoS is detected
and mitigated on site. Section 3.1 describes the symmetric on-
premise scenario, where the DDoS Appliance is place on path both the
inbound and outbound traffic to the Service. Section 3.2, on the
other hand presents the case where only a sub traffic is dynamically
directed to the DDoS Appliance.
Migault Expires October 22, 2015 [Page 4]
Internet-Draft DOTS use cases April 2015
3.1. Symmetric
As depicted in Figure 1 the DDoS Appliance is on path of the inbound
and outbound traffic to the Service. In other words, traffic coming
from the Service to the end users goes also through the DDOS
Appliance.
Such scenario may be associated to Small Office Home Office (SOHO)
networks. In this case, the network, most likely, has a single DDoS
Appliance. On the other hand, this scenario may also apply to large
data center where, for example, each VM could be associated to a
virtual DDoS Appliance.
The typical use case includes the following steps:
1. The DDoS Controller requests the DDoS Monitoring and DDoS
Mitigation capabilities of the DDoS Appliance. Such request
provides flexibility for both the DDoS Controller and the DDoS
Appliances. First the DDoS Controller does not need to be tied
to the DDoS Appliance, and so a single DDoS Controller may be
used for various heterogeneous DDoS Appliances. Heterogeneity
can be in term of vendors and/or in term of proposed
capabilities. Similarly, this provides flexibility for the
DDoS Appliances, as a DDoS Appliance may implement a subset of
capabilities. In our example, the DDoS Controller, discovers
both the DDoS Monitoring and DDoS Mitigating capabilities.
DDoS Monitoring capabilities are necessary for monitoring the
traffic and latter setting the alarms (see 2.). DDoS
Mitigation capabilities are not mandatory to be requested here,
as they are only expected to be used when the network is under
attack. The reason the DDoS Controller requests those at this
stage is to be able to plan its strategy for DDoS mitigation in
advance instead of doing so while being under attack.
2. The DDoS Controller, then configures the appropriated
capabilities on the DDoS Appliance. The configuration can
typically be setting the thresholds upon which an alarm is
raised by the DDoS Appliance to the DDoS Controller. Another
type of setting may also be related to monitoring. DDoS
Appliance may be configured to provide flow or resource (like
CPU usage) information. These information may be exported to
the Flow Repository in an appropriated format that enabled
processing and correlation analysis by the DDoS Controller.
3. The DDoS Appliance sends the monitoring information to the Flow
Repository. Note that the Flow Repository must be provided
some means to authenticated the received packets as well as to
Migault Expires October 22, 2015 [Page 5]
Internet-Draft DOTS use cases April 2015
check the received information corresponds to the one requested
by the DDoS Controller.
4. The DDoS Appliance raises an alarm that some suspicious traffic
has been detected. This alarm corresponds to the settings
performed by the DDoS Controller in step 2. As mentioned in
Section 1 it may be difficult for the DDoS Appliance to
determine from a local observation that a DDoS attack is
ongoing or not. This is the reason the alarm is raised for
suspicious traffic.
5. The DDoS Controller analyzes and correlates the received alarm
for suspicious traffic and confirm or not that a DDoS attack is
ongoing. Confirmation may require the DDoS Controller to
perform some traffic analysis and correlates the alarm with
some additional data. To do so, the DDoS Controller may
consult the Flow Repository.
6. The DDoS Controller concludes that the network is under attack,
and so proceeds to DDoS mitigation. In this example, the DDoS
Controller is aware of the DDoS Mitigation capabilities of the
DDoS Appliance as it has proceeded to the discovery mechanism
in step 1. If that is not the case, the DDoS Controller should
discover the DDoS mitigation capacities now. DDoS mitigations
performed by the DDoS Controller are related to DDoS service.
This may include for example setting some filtering rules or
activation rate limitation. If traffic redirection should be
performed, it is not expected to be performed by the DDoS
Controller. In fact redirection implies a network
reconfiguration and is considered outside the scope of the DDoS
Controller. In addition to mitigate the DDoS attack, the DDoS
Controller may also adjust its DDoS Monitoring settings.
Motivations for doing so, may be for example to reduce the
traffic on the network, or reversely, to provide a more
accurate monitoring.
6bis. Eventually, the DDoS Controller may conclude that the network
is not under attack. In this case the alarm is ignored or
acknowledged to avoid the alert is re-sent and eventually load
the network or the DDoS Controller. Similarly to step 6, the
DDoS may also decide to adjust the monitoring settings to
reduce false positive alarms. Note that the latest should be
used cautiously as, such mechanism may be used as a vector of
attack.
Migault Expires October 22, 2015 [Page 6]
Internet-Draft DOTS use cases April 2015
***** DDoS traffic
ooooo Legitimate traffic
|
Internet | Attacked Network
|
| DDoS Appliance
| +-----------------+ +---------+
>***>***> |* | DDoS Monitor | | |
>ooo>ooo> |o | ---------- | >ooo> | Service |
<ooo<ooo< |o | DDoS Mitigation | <ooo< | |
| +-----------------+ +---------+
| | ^
| | | 1. Capabilities
| | 2. Monitoring settings
3. Monitored | | 4. Alarm is raised
Flow | | 6. DDoS Mitigation
| +----------------+
v v
+---------------------+ +------------------+
| Flow Repository |<------>| DDoS Control |
+---------------------+ +------------------+
5. Alert Correlation
Figure 1: On-premise Symmetric Use Case
Figure 1 shows the DDoS Controller as distinct from the DDoS
Appliance. In fact nothing prevents the DDoS Controller to be
located on the DDoS Appliance. In this case the communications
between the DDoS Controller and the DDoS Monitoring or DDoS
Mitigation functions would be implementation dependent and thus
outside of the scope of DOTS. The DDoS Appliance may embed a basic
and limited DDoS Controller for basic configuration of the device.
This is one reason why a DDOS Appliance may be configured by multiple
DDoS Controllers.
Similarly, there is no requirements that the DDoS Controller belongs
to the same network as the DDoS Appliances. The DDoS Controller
could be placed inside the on-premise DDoS Appliances' network or
remotely see Section 5 for more details.
How the DDoS Controller handles alarms and determines a suspicious
traffic corresponds or not to a DDoS attack is out of scope of DOTS.
Similarly, the mitigating strategies are also out of scope of DOTS.
Migault Expires October 22, 2015 [Page 7]
Internet-Draft DOTS use cases April 2015
3.2. Asymmetric
The asymmetric on-premise scenario optimize resources compared to the
symmetric on-premise scenario. More specifically, in the symmetric
on premise scenario, the traffic going from the Service to the end
users also goes through the DDoS Appliance. Such deployment may lead
to unnecessary load on the DDoS Appliance. In fact, the outbound
traffic may not need to be either monitored or mitigated, and as such
may reduce the packet rate or bit rate upper bound limit for inbound
traffic. This may be one motivation for splitting the DDoS
Monitoring module and the DDoS Mitigation modules in two different
DDoS Appliances. In addition, for large networks, having a dedicated
DDoS Appliance for DDoS mitigation may rationalize the cost and use
of DDoS Mitigation Appliances. In fact, DDoS Mitigation Appliances
may be shared by multiple Services or instances of VM of a given
Service. As a result, the DDoS Mitigation Appliance do not need to
scale the service traffic but instead the traffic of DDoS attacks --
which is most likely expected to remain smaller. This may not be the
case for the DDoS Monitor Appliance as there is a need to always
monitor the whole service traffic.
In the use case depicted by Figure 2 and Figure 3 the DDoS Mitigation
Appliance only handles DDoS traffic.
The typical use case includes the following steps:
1. corresponds to the capabilities discovery phase. It is similar
as the one exposed in Section 3.1. The main difference remains
that DDoS Monitoring capabilities and DDoS Mitigating
capabilities are discovered on two distinct DDoS Appliances.
2., 3., 4. and 5. corresponds to the monitoring and alarms
settings. Monitoring may result in exporting data to the Flow
Repository. This is similar as the steps described in
Section 3.1.
6. If the DDoS Controller determines the network is under a DDoS
attack, mitigation is performed in two steps. They may be
ordered differently depending on criteria that are beyond the
scope of this use case. First, the DDoS Mitigation is
configured as described in Section 3.1 as a result of an
analysis performed by the DDoS Controller. Then, traffic
redirection is performed. In our case, the redirected traffic
corresponds only to the inbound traffic from the end users.
The traffic from the service to the end users is not
redirected. This operation is not directly handled by the DDoS
Controller. It can be performed manually, or upon a request
from the DDoS Controller. This request is then treated by a
Migault Expires October 22, 2015 [Page 8]
Internet-Draft DOTS use cases April 2015
network management function in order to perform the
appropriated network configurations.
6bis. In the case, the DDoS Controller determines the network is
not under a DDoS attack, this step similar to the one described
in Section 3.1.
***** DDoS traffic
Internet Attacked Network ooooo Legitimate traffic
|
|
|
| DDoS Appliance
| +-----------------+ +---------+ +---------+
<ooo<ooo< | | | <ooo< | | <ooo< | |
>ooo>ooo> | | DDoS Monitor | >ooo> | Network | >ooo> | Service |
>***>***> | | | >***> | | >***> | |
| +-----------------+ +---------+ +---------+
| | ^
| | | 1. Capabilities
| | | 2. Monitoring settings
| | | +---------------------+
| | +----------------+ | DDoS Mitigation |
| | | +---------------------+
| | 3. Monitored | DDoS Appliance ^
| | Flows | |
| v v 1. Capabilities |
+-----------------+ +-----------------------------------+
| Flow Repository |<------>| DDoS Controller |
+-----------------+ +-----------------------------------+
Figure 2: On-premise Asymmetric Use Case Monitoring Phase
Migault Expires October 22, 2015 [Page 9]
Internet-Draft DOTS use cases April 2015
***** DDoS traffic
Internet Attacked Network ooooo Legitimate traffic
|
| +------------
| | Traffic Redirection
| DDoS Appliance v
| +-----------------+ +---------+ +---------+
<ooo<ooo< | | | <ooo< | | <ooo< | |
>ooo>ooo> | | DDoS Monitor | >ooo> | Network | | Service |
>***>***> | | | >***> | | | |
| +-----------------+ +---------+ +---------+
| | ^ vv ^
| | | *o o
| | | vv ^
| | | 4. Alarm is raised +---------------------+
| | +----------------+ | DDoS Mitigation |
| | | +---------------------+
| | 3. Monitored | DDoS Appliance ^
| | Flows | |
| v v 6. Mitigation settings
+-----------------+ +-----------------------------------+
| Flow Repository |<------>| DDoS Controller |
+-----------------+ +-----------------------------------+
5. Alert Correlation
Figure 3: On-premise Asymmetric Use Case Mitigation Phase
4. Cloud Use Case
Figure 4 illustrates the Cloud use case. In this scenario, the
entire DDoS monitoring and mitigation service is outsourced to a
third party designated as Cloud Based DDoS Cleaning Service or Cloud
for short. In order to do so, the traffic associated to the Service
goes through the Cloud Based DDoS Cleaning Service as detailed in
Figure 4. On the other hand, this scenario makes DDoS mitigation
transparent to the Service provider, which then benefits from a
"clean pipe".
Figure 4 presents the case where the Cloud is on path of both inbound
and outbound traffic, a similar scenario may also consider that only
the inbound traffic, that is the traffic destined to the service is
directed to the cloud whereas the outbound traffic destined to the
users does not.
Internal organization of the Cloud Based DDoS Cleaning Service is
transparent to the Service provider. A combination of the on-
premises scenarios may be used.
Migault Expires October 22, 2015 [Page 10]
Internet-Draft DOTS use cases April 2015
***** DDoS traffic
ooooo Legitimate traffic
+----------------------------------+
| Cloud Base DDoS Cleaning Service |
| |
| DDoS Monitor |
| / |
| DDoS Mitigation |
+----------------------------------+
^^ v v ^
*o o o o
^^ v v ^
>***>***> ,---------. +---------+
Users >ooo>ooo>,-' `-. | |
( Internet ) | Service |
<ooo<ooo<`-. ,-' | |
`---------' +---------+
Figure 4: Cloud Use Case
5. Hybrid Cloud Use Case
The inconvenient the cloud use case scenario described in Section 4
is that redirecting the traffic to the cloud is likely to introduce
additional latency. This is inconvenient as it adds a constant
service degradation and cost to the Service provider. In order to
address this, this section details the Hybrid Cloud scenario that
combines the on-premise scenarios detailed in Section 3 and the cloud
scenario detailed in Section 4
The main driver for combining the cloud and on-premise scenarios is
to be able to outsource the DDoS attack mitigation to a third party
only when the Service provider is under attack, or when it is not
able to handle the ongoing DDoS attack. In the general case, the
determination on how the service provider is able to cope and detect
a DDoS attack is up to the Service provider. A continuum of
scenarios can be considered and this section details only a few of
them.
A specific case may consider that DDoS mitigation is outsourced by
outsourcing the DDoS Controller to a third party. This DDoS
Controller, drives the DDoS Monitor functions on the premise. When
an alert is raised, the DDoS Controller may take the decision to
mitigate internally with the DDoS attack only using on-premise
facilities. This case correspond to the scenarios detailed in
Section 3, except that the DDoS Controller is either located
remotely, or at least accessed remotely by the third party. On the
Migault Expires October 22, 2015 [Page 11]
Internet-Draft DOTS use cases April 2015
other hand, the DDoS Controller may also decide that the DDoS attack
cannot be mitigated on premise, and that mitigation should be
outsourced to a cloud service as described in Section 4. In this
case, the DDoS Controller is expected to redirect at least the
inbound traffic of the Service provider to the cloud infrastructure.
This case corresponds to the on premise asymmetric scenario detailed
in Section 3.2. The difference is that redirection does not occur
inside the Service provider, but involves sites redirection -- most
likely using BGP signaling.
Another scenario may provide more independence to the Service
provider. In this scenario, the Service provider, may have the
complete control on the DDoS Monitor and DDoS Mitigation Appliances,
and only uses the Cloud as a backup solution when it is not likely to
deal with the DDoS attack. In this case, the DDoS Controller sends
an alert to the DDoS Controller of the third party. The third party
first analyzes the attack, which may require to grant access to the
third party to the Flow Repository. If DDoS mitigation action are
performed by the third party DDoS Controller, means should be
provided to transmit information from the third party DDoS Controller
to the DDoS Appliances. This could be done for example by providing
access to the DDoS Appliances, or by DDoS Controller that acts as a
proxy for the third party DDoS Controller.
6. Security Considerations
7. Privacy Considerations
8. IANA Considerations
This document makes no request of IANA.
9. Acknowledgments
10. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
Author's Address
Migault Expires October 22, 2015 [Page 12]
Internet-Draft DOTS use cases April 2015
Daniel Migault (editor)
Ericsson
8400 boulevard Decarie
Montreal, QC H4P 2N2
Canada
Phone: +1 514-452-2160
Email: daniel.migault@ericsson.com
Migault Expires October 22, 2015 [Page 13]