Internet DRAFT - draft-xia-dots-extended-use-cases

draft-xia-dots-extended-use-cases



DOTS                                                           L. Xia
                                                              H. Song
Internet Draft                                                 Huawei
Intended status: Informational                          June 27, 2015
Expires: December 2015



             The Extended DDoS Open Threat Signaling Use Cases
                 draft-xia-dots-extended-use-cases-00.txt


Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time.  It is inappropriate to use Internet-Drafts as
   reference material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html

   This Internet-Draft will expire on December 27, 2015.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors. All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with
   respect to this document.

Abstract



Xia, et al.           Expires December 27, 2015               [Page 1]

Internet-Draft         Extended DOTS Use Cases               June 2015


   This draft proposes two extended use cases which illustrate more
   scenarios and multiple ways of implementation within the existing
   DOTS work scope. One is the data mining and SDN based centralized
   Anti-DDoS use case, the other is the NFV based distributed DDoS
   mitigation use case.

Table of Contents


   1. Introduction ................................................ 2
      1.1. Background ............................................. 2
   2. Conventions used in this document ........................... 4
   3. Data Mining and SDN Based Centralized DDoS Protection ....... 5
   4. NFV Based Distributed DDoS Mitigation Use Case .............. 7
   5. Security Considerations ..................................... 9
   6. IANA Considerations ......................................... 9
   7. References .................................................. 9
      7.1. Normative References ................................... 9
      7.2. Informative References ................................. 9
   8. Acknowledgments ............................................. 9

1. Introduction

   DDoS attacks are one of the largest threats to the Internet, and are
   evolving very quickly whatever its volume size or complexity. The
   DDoS attack victims include ISPs, enterprises, and websites. To
   defend their network resource or services against DDoS attack, Anti-
   DDoS solutions are needed. According to specific scenarios or
   requirements, as well as the emerging new technologies such as cloud,
   NFV and big data, various Anti-DDoS solutions exist in current
   industry.

   This document will present two use cases for a distributed Anti-DDOS
   solution based on standard inter-system communications between the
   components.  These standards will permit a mix of "best of breed"
   deployment.

1.1. Background

   Current Anti-DDoS solution is to deploy a proprietary Anti-DDoS
   system close to the protected site, or in the network, close to the
   protected site. Anti-DDoS systems can be either one physical box or
   a distributed system. The former application means that the
   detection and mitigation modules are all located in the same box. In
   comparison, the latter is a distributed system which includes
   distributed devices responsible for detection (i.e., DPI),
   mitigation (i.e., scrubbing) and central control respectively. The


Xia, et al.           Expires December 27, 2015               [Page 2]

Internet-Draft         Extended DOTS Use Cases               June 2015


   latter application is better in overall performance and deployment
   flexibility. To meet the various requirements, the Anti-DDoS system
   is deployed in various locations in a network. For example, it is
   deployed near the protected sites for easily detecting application-
   layer attacks, or near to the attack source to mitigate attacking
   traffic as soon as possible and prevent them flooding into the
   network.

   Due to the challenges of high volume and complexity brought by
   today's DDoS attacks, the cloud-based Anti-DDoS service is becoming
   attractive and adopted by more and more customers. By this way, all
   of the customer's traffic is monitored and scrubbed by the Anti-DDoS
   service provider in real time, and the customer can manage its own
   Anti-DDoS service and get the related information through the web-
   based customer portal. This type of service has the benefits of high
   performance and scalability.

   On the other hand, Network Function Virtualization (NFV) is
   considered as a promising technology used by network operators for
   its great benefits such as saving cost and speeding up new service's
   provision. Specifically, for the Anti-DDoS service provided by
   network operators, they can dynamically create the Anti-DDoS Virtual
   Network Functions (VNFs) and deploy them to the appropriate
   locations in the network (i.e., near to the attack source or
   destination, or both) as needed, because they have the information
   and control of the whole network. The network operators have the
   inherent advantage comparing with the third-party Anti-DDoS service
   providers in this aspect.

   Furthermore, in addition to the detection by specific devices (e.g.,
   Deep Packet Inspection (DPI)), normal network forwarding devices
   (e.g., router or switch) can also be involved in the DDoS attack
   detection by collecting the L3/L4 flow information and sending them
   to the centralized platform for analysis or data mining. It can be a
   complimentary way to current DDoS detection mechanism, or an
   independent detection method by itself.

   During the last few years, the above technologies are in the process
   of integration, aiming to develop a comprehensive distributed and
   collaborative Anti-DDoS solution. One example is the hybrid solution
   by combining the specified on-premise Anti-DDoS devices with cloud-
   based Anti-DDoS service. The on-premise devices monitor all the
   traffic of customer and effectively mitigate the application-layer
   attacks. When attack size reaches customer-established thresholds,
   mitigation can be moved to the cloud platform. The ultimate goal of
   the integration is forming a full spectrum of Layer 3-7 defenses
   both on-premise and in the cloud. For all the distributed and


Xia, et al.           Expires December 27, 2015               [Page 3]

Internet-Draft         Extended DOTS Use Cases               June 2015


   collaborative Anti-DDoS solutions, the coordination among all the
   member elements is necessary for managing them, as well as
   collecting and correlating various information from them so as to
   form a holistic network security view.

   [I-D.draft-mglt-dots-use-cases] describes several DDoS Open Threat
   Signaling (DOTS) use cases for communication across distributed
   Anti-DDoS devices or between on-premise device and cloud platform.
   Additionally, it also illustrates the benefits the DOTS work can
   bring.

   This draft proposes two new use cases which illustrate more
   scenarios and multiple ways of implementation within the existing
   DOTS work scope:

   o Collect and correlate security related flow information from
      network forwarding devices and proactively detect the DDoS attack
      by centralized analysis or data mining;

   o Dynamic and distributed Anti-DDoS solution by creating VNFs and
      deploying them to the edge network on demand.



2. Conventions used in this document

   DDoS - Distributed Denial of Service

   DOTS - DDos Open Threat Signaling

   SDN - Software Defined Network

   NFV - Network Function Virtualization

   DPI - Deep Packet Inspection

   CAPEX - Capital Expenditure

   IPFIX - IP Flow Information Export

   ACL - Access Control List

   PoP - Point of Presence






Xia, et al.           Expires December 27, 2015               [Page 4]

Internet-Draft         Extended DOTS Use Cases               June 2015


3. Data Mining and SDN Based Centralized DDoS Protection

   With the development of big data and SDN/NFV technologies, new ways
   of thinking of DDoS protection come along as well. A centralized
   data mining and SDN-like control platform plays a key role for DDoS
   protection in this use case.

   The centralized platform collects L3/L4 flow information from normal
   network forwarding devices (e.g., router or switch) in the whole
   network, and then analyzes them with data mining technology to get
   the holistic view of network DDoS threats leading to an easy DDoS
   attack detection. Compared with traditional signature based solution,
   data mining analysis focuses more on the behaviors and patterns of
   the data flows other than the content of the packets. Multi-
   dimension to ultra-high dimension models can be built to accurately
   profile the data flows on-line, which allows detecting and even
   predicting DDoS attacks in real-time. By this way, operators can
   greatly reduce the Capital Expenditure (CAPEX), as complicated and
   expensive detecting devices with Deep Packet Inspection (DPI)
   functions will be no longer essential. Furthermore, in contrast to
   dedicated Anti-DDoS devices, the data mining platform is highly
   scalable without obvious performance limit (the data mining
   functions can be executed on the elastic computing environment). And
   it has self-adapting capability to proactively detect new mutations
   of DDoS attacks.

   This Anti-DDoS solution involves a large number of elements, i.e.,
   routers, switches, data mining platform, dedicated Anti-DDoS devices,
   and etc, as well as frequent information exchange between them to
   fulfill its essential functions, i.e., packet/flow sampling, traffic
   diversion, sending security policies, and etc. All these elements
   and related control processes can be integrated into the SDN-like
   control architecture to improve the automation level so as to reduce
   operational involvement in DDoS attack management.














Xia, et al.           Expires December 27, 2015               [Page 5]

Internet-Draft         Extended DOTS Use Cases               June 2015


   +----------+2.Monitoring +--------------+  5.DPI and Scrubbing
   |  SDN     |  Report     | Data Mining  |  statistics information
   |Controller<-------------+   Platform   <-------------------+
   |          |             |              |                   |
   +--+-------+             +-----^--------+                   |
      |                           |                            |
      |3.Policies of              |                            |
      |  flow sampling,           |                            |
      |  device security,         |1.Flow Sampling             |
      |  traffic redirection,     |                            |
      |  source tracking, etc     |                            |
    ..V...........................|..........                  |
    .                                       . 4. Traffic       |
    .  +------+     +------+     +------+   . redirection +----+-----+
    .  |Router| ... |Router| ... |Router|   . and clean   | Specified|
    .  |      |     |      |     |      |   <-------------> Anti-DDoS|
    .  +------+     +------+     +------+   .             |  Device  |
    .                                       .             +----------+
    .  Network                              .
    .........................................


     Figure 1. Data Mining and SDN Based Centralized Anti-DDoS Use Case

   As illustrated in Figure 1, a data mining and SDN based centralized
   Anti-DDoS solution forms a closed-loop control system which includes
   the following steps:

   1. Data mining platform monitors network traffics by big data
      analysis algorithms based on received IP Flow Information Export
      (IPFIX) packet sampling records, and it probably needs some
      extensions to current IPFIX specification for security
      requirements [I-D.draft-fu-ipfix-network-security].

   2. Data mining platform sends the monitoring report to the SDN
      controller, which provides the inputs for SDN controller to take
      next step actions. The report contains the information about the
      detected DDoS attacks based on the data mining models taken by
      the platform, the information could be the abnormal flows, the
      suspicious DDoS attack sources or destinations.

   3. Based on the monitoring reports input, the SDN controller can
      control the network forwarding devices to perform various
      operations, e.g., adjusting the IPFIX flow sampling policies, or
      configuring device security policies such as rate-limiting or
      Access Control List (ACL), or traffic redirection to specified
      mitigation devices or tracking the attack sources and etc.


Xia, et al.           Expires December 27, 2015               [Page 6]

Internet-Draft         Extended DOTS Use Cases               June 2015


   4. The suspicious traffic is identified and redirected to specified
      Anti-DDoS devices for further inspection and cleaning, and then
      clean traffic is transmit back to the network;

   5. At last, the DPI and scrubbing statistics information created by
      the specified Anti-DDoS devices are reported to the data mining
      platform, which are used to help it to improve and derive further
      security intelligence by self-learning mechanism.



4. NFV Based Distributed DDoS Mitigation Use Case

   Previously, due to the deployment limit of physical DDoS mitigation
   devices and the third-party Anti-DDoS service provider does not have
   the control of the network infrastructure, the centralized
   deployment of DDoS mitigation devices is more suitable than the
   distributed deployment. The centralized way is not optimized in
   saving network bandwidth, and is possible to make DDoS mitigation
   devices to be the bottleneck.

   Now, the distributed deployment of DDoS mitigation appliances to the
   network edge is becoming feasible as NFV technologies grows quickly
   and are widely adopted by network operators for managing network
   infrastructure. By the way of dynamic deployment, the virtual DDoS
   mitigation appliances (i.e., virtual FW, scrubbing center, etc) are
   distributed at the network edges to relieve the performance and
   network bandwidth consuming problems.

   Generally, for the distributed Anti-DDoS solution, the DDoS
   monitoring appliances should be closer to the attacked destination
   for easy detection, and the DDoS mitigation appliances should be
   closer to the attacking sources for saving network bandwidth. So,
   the source tracking mechanism is an important part of the whole
   solution.













Xia, et al.           Expires December 27, 2015               [Page 7]

Internet-Draft         Extended DOTS Use Cases               June 2015


              ...............
              . Virtual DDoS.
              . Mitigation  .
              . Appliance   .
              ...............     ---------
                         |    //--         --\\
             3.Network   |  // +----------+    \\
               Edge      |//   |Anti-DDoS <---+  \\
               Depolyment|     /Controller|   |1.Monitoring
        ----            ||    /+--+-----+-+   |  Report
     ///    \\\        | |   2    |     |     |      |
    /          \       | |  /     |     |+----+-----+|    +--------+
   |            |     | +V-V+     |     ||   DDoS   | |   |Service |
   |        +---+-----+-+PoP|  2.Source 2|Monitoring+-+---+        |
   |        |   |     | +---+  Tracking ||appliance | |   +--------+
   |    ISP2|   |      |          |     |+----------+|
    \       |  /       |          |     |            |
     \\\    |//         |         |     |    ISP1   |
        ----|            \      +-V-+  +V--+       /    ...............
            |             \\    |PoP|  |PoP<------------. Virtual DDoS.
         +--+----+          \\  +-+-+  +--++ 3.Network  . Mitigation  .
         |  Bot  |            \\--|       |--//Edge     . Appliance   .
         |Network|                +-------+   Deployment...............
         +-------+                |       |
                                  |       |
                            +-----+-+  +--+----+
                            | Other |  |  Bot  |
                            |Network|  |Network|
                            +-------+  +-------+
          Figure 2. NFV Based Distributed DDoS Mitigation Use Case

   Figure 2 illustrates the use case including the following steps:

   1. DDoS monitoring appliance sends the monitoring report to the
      Anti-DDoS controller, providing the inputs for next step actions;

   2. Anti-DDoS controller performs the attacking source tracing
      mechanism to locate the network edges (i.e., PoPs) needed to
      deploy the virtual DDoS mitigation appliances;

   3. ISP's NFV orchestration center dynamically deploys the virtual
      DDoS mitigation appliances on the network edge to filter/clean
      the attacking traffic.






Xia, et al.           Expires December 27, 2015               [Page 8]

Internet-Draft         Extended DOTS Use Cases               June 2015


5. Security Considerations

   This specification talks about the use cases for anti-DDoS solutions,
   which does not introduce any new security threats to the network.
   However, if the anti-DDoS system could be hacked by attackers, then
   it could be used for malicious purposes, such as protecting the
   attacks, or generating new attacks.

6. IANA Considerations

   There is no IANA consideration for this specification.

7. References

7.1. Normative References

   [1]  Bradner, S., "Key words for use in RFCs to Indicate
         Requirement Levels", BCP 14, RFC 2119, March 1997.

   [2]  Crocker, D. and Overell, P.(Editors), "Augmented BNF for
         Syntax Specifications: ABNF", RFC 2234, Internet Mail
         Consortium and Demon Internet Ltd., November 1997.

   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
             Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2234] Crocker, D. and Overell, P.(Editors), "Augmented BNF for
             Syntax Specifications: ABNF", RFC 2234, Internet Mail
             Consortium and Demon Internet Ltd., November 1997.

7.2. Informative References

   [I-D.draft-mglt-dots-use-cases] Migault, D., "DDos Open Threat
             Signaling use cases", work in progress, April 2015.

   [I-D.draft-fu-ipfix-network-security] Fu, T., Zhang, D., He, D., and
             Xia, L., "IPFIX Information Elements for inspecting
             network security issues", work in progress, April 2015.

8. Acknowledgments



   This document was prepared using 2-Word-v2.0.template.dot.





Xia, et al.           Expires December 27, 2015               [Page 9]

Internet-Draft         Extended DOTS Use Cases               June 2015




Authors' Addresses

   Liang Xia (Frank)
   Huawei
   101 Software Avenue, Yuhuatai District
   Nanjing, Jiangsu  210012
   China

   Email: Frank.xialiang@huawei.com




   Haibin Song
   Huawei
   101 Software Avenue, Yuhuatai District
   Nanjing, Jiangsu  210012
   China

   Email: haibin.song@huawei.com


























Xia, et al.           Expires December 27, 2015              [Page 10]