Internet-Draft | Problem Statement:Collaborative Defense | October 2023 |
Li & Zhang | Expires 21 April 2024 | [Page] |
This document presents a problem statement on collaborative mitigation of Distributed Denial-of-Service (DDoS) attacks. DDoS attacks have become increasingly prevalent and sophisticated, causing significant disruptions in network services. The evolving trends of DDoS attacks, including their types, intensities, and attack methods, pose formidable challenges to existing defense systems. This problem statement examines the current defense landscape, highlighting the distributed deployment of defense systems across various network positions and the imbalances in defense capabilities. Collaboration is crucial for effective DDoS attack mitigation, considering the global nature of attacks and the need to protect critical network links. The existing collaborative framework, DOTS, shows promise but requires addressing these challenges to enhance its efficacy. The existing collaborative framework DOTS demonstrates potential, but there are still numerous challenges in its practical application. This document aims to address these key issues that impact the implementation of collaborative technologies.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 21 April 2024.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Distributed Denial of Service (DDoS) attacks have become a pervasive threat, causing significant disruptions to online services and networks. Collaborative mitigation strategies are needed to effectively counter these attacks. This problem statement aims to address the challenges and issues associated with collaborative defense against DDoS attacks.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
A Distributed Denial-of-Service (DDoS) attack is a method where multiple hosts are controlled to simultaneously target and disrupt the services, hindering legitimate users' access. DDoS attacks can be categorized into three main types based on their effects: resource exhaustion-based, link exhaustion-based, and network exhaustion-based attacks. Due to their low cost and significant impact, DDoS attacks have become increasingly popular, with attackers continuously improving their techniques and intensifying their attacks. The following trends characterize the evolution of DDoS attacks: * Increase in peak and average attack traffic, reaching terabit-level peak volume. * Rapid surge in attack traffic, capable of escalating to 800 Gbps within seconds. * Emergence of combination attacks as the mainstream approach, where attackers employ multiple attack methods concurrently or sequentially. * Continual emergence of new attack techniques, such as leveraging novel vulnerabilities or using innovative means to exploit weaknesses in defense systems. These evolving DDoS attack trends pose significant challenges to current DDoS mitigation systems.¶
DDoS defense systems have been deployed at various nodes in the global network topology. From a network topology perspective, the deployment locations of DDoS defense systems can be classified as follows: * International ingress/egress points: These critical nodes handle the exchange of network packets between different countries and regions. Typically, they deploy DDoS mitigation capabilities like blackhole routing and BGP Flowspec. * ISP backbone and metropolitan networks: These networks possess abundant resources and robust mitigation capabilities to handle high-volume attacks. However, due to the substantial volume of network traffic, traffic analysis can be time-consuming. * Software service providers: As the last line of defense, these providers have detection capabilities for various attacks. However, limited resources are allocated for mitigation due to cost constraints. The internet is a highly complex and extensive network composed of numerous LANs (Local Area Networks). Different LANs have different owners, varying in scale and DDoS defense resource allocations.¶
DDoS attacks have become an international threat, often traversing multiple LANs and involving various network operators, spanning different regions and countries. A global view of the internet is crucial for understanding the propagation behavior of malicious traffic. Moreover, in terms of DDoS attack mitigation, protecting the front-end of the malicious traffic propagation chain is more effective. This is because malicious traffic not only disrupts the services of target victims but can also impact critical links along the path, such as international ingress/egress points and interconnections between different ISPs. Additionally, with the increasing intensity and evolving tactics of DDoS attacks, relying solely on the defense capabilities at one network location is inadequate. Thus, collaboration among multiple defense systems upstream and downstream in the network is necessary. Based on the analysis above, we identify the following information that needs to be communicated through collaboration: * Attack details, including ongoing and historical attacks. * Malicious IP addresses or URIs. * Threat intelligence.¶
The DOTS framework[RFC8612] provides a foundation for collaborative defense DDoS attacks by facilitating threat signaling and coordinated mitigation actions. It enables the exchange of attack-related information, enhances situational awareness, and enables effective response coordination among involved parties. [RFC8811] describes the technical framework of DOTS. [RFC8782] and [RFC8816] describe the communication methods between DOTS clients and servers. [RFC8903], [RFC9005], and others provide use cases for using DOTS and its communication methods.¶
Through an analysis of practical issues encountered in DOTS applications, we have identified the following key challenges in current collaboration efforts: * Lack of consensus on attack definitions: Currently, there is no unified standard for categorizing and naming DDoS attacks. This lack of consensus regarding attack definitions may lead to misunderstandings between mitigators and requesters when transmitting collaborative information. Establishing attack definitions would help both parties better define collaboration requirements and available capabilities. * Absence of attack type-based collaborative data models: While DOTS provides parameters for describing attack details, the importance of specific attack detail parameters varies depending on the type of DDoS attack. For example, source IP address is crucial for reflection-based attacks but may not be necessary for flooding attacks. To enhance collaboration efficiency, it is essential to define collaborative data models based on attack types, including attack details and mitigation specifics. * Lack of specific scenario guidance for collaborative information transmission: Mitigation requesters often lack a comprehensive understanding of defense capabilities at different network locations. Providing guidance for collaborative information transmission methods based on specific collaboration scenarios allows mitigators to understand when to initiate mitigation requests and which mitigation capabilities they should offer. In conclusion, addressing these challenges will improve the effectiveness of collaborative DDoS mitigation and provide better protection against the growing threat of DDoS attacks.¶
This document includes no request to IANA.¶