RE: Secdir last call review of draft-ietf-dots-signal-channel-30

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> -----Original Message-----
> From: Michael Richardson <mcr+ietf@xxxxxxxxxxxx>
> Sent: Friday, March 15, 2019 6:52 PM
> To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@xxxxxxxxxx>
> Cc: mohamed.boucadair@xxxxxxxxxx; Stephen Farrell
> <stephen.farrell@xxxxxxxxx>; secdir@xxxxxxxx; draft-ietf-dots-signal-
> channel.all@xxxxxxxx; ietf@xxxxxxxx; dots@xxxxxxxx
> Subject: Re: Secdir last call review of draft-ietf-dots-signal-channel-30
> 
> 
> Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@xxxxxxxxxx> wrote:
>     > Stephen is referring to an attack where a compromised DOTS client
>     > initiates mitigation request for a target resource that is attacked and
>     > learns the mitigation efficacy of the DOTS server, informs the
>     > mitigation efficacy to DDoS attacker to change the DDoS attack
>     > strategy.
> 
> Is there a word for an an infantry troup who goes behind enemy lines in order
> to communicate how will the artilery is?  I guess a modern form is these laser
> targetted missiles, where the target is "painted".
> 
> I don't know if there are words for this kind of thing, but this would seem to
> describe the situation.
> 
>     > We can add the following lines to address his comment:
> 
>     > A compromised DOTS client can collude with a DDoS attacker to send
>     > mitigation request for a target resource, learns the mitigation
>     > efficacy from the DOTS server, and conveys the efficacy to the DDoS
>     > attacker to learn the mitigation capabilities of the DDoS mitigation
>     > and to possibly change the DDoS attack strategy. This attack can be
>     > prevented by auditing the behavior of DOTS clients and authorizing the
>     > DOTS client to request mitigation for specific target resources.
> 
> If a resource is already under attack, there are already mitigation requests for
> that target, can a compromised DOTS client leaern anything by requesting
> mitigation on the same target ?

I meant the scenario where the compromised DOTS client initiates the mitigation request before the legitimate DOTS client sends the mitigation request to the DOTS server. DOTS clients are typically trusted devices like Firewalls/IPS, DDoS mitigators/detectors. In future, application servers and endpoints can act as DOTS clients.

-Tiru

> 
> --
> Michael Richardson <mcr+IETF@xxxxxxxxxxxx>, Sandelman Software Works  -
> = IPv6 IoT consulting =-
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux