DOTS L. Xia H. Song Internet Draft Huawei Intended status: Informational June 27, 2015 Expires: December 2015 The Extended DDoS Open Threat Signaling Use Cases draft-xia-dots-extended-use-cases-00.txt Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on December 27, 2015. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Abstract Xia, et al. Expires December 27, 2015 [Page 1] Internet-Draft Extended DOTS Use Cases June 2015 This draft proposes two extended use cases which illustrate more scenarios and multiple ways of implementation within the existing DOTS work scope. One is the data mining and SDN based centralized Anti-DDoS use case, the other is the NFV based distributed DDoS mitigation use case. Table of Contents 1. Introduction ................................................ 2 1.1. Background ............................................. 2 2. Conventions used in this document ........................... 4 3. Data Mining and SDN Based Centralized DDoS Protection ....... 5 4. NFV Based Distributed DDoS Mitigation Use Case .............. 7 5. Security Considerations ..................................... 9 6. IANA Considerations ......................................... 9 7. References .................................................. 9 7.1. Normative References ................................... 9 7.2. Informative References ................................. 9 8. Acknowledgments ............................................. 9 1. Introduction DDoS attacks are one of the largest threats to the Internet, and are evolving very quickly whatever its volume size or complexity. The DDoS attack victims include ISPs, enterprises, and websites. To defend their network resource or services against DDoS attack, Anti- DDoS solutions are needed. According to specific scenarios or requirements, as well as the emerging new technologies such as cloud, NFV and big data, various Anti-DDoS solutions exist in current industry. This document will present two use cases for a distributed Anti-DDOS solution based on standard inter-system communications between the components. These standards will permit a mix of "best of breed" deployment. 1.1. Background Current Anti-DDoS solution is to deploy a proprietary Anti-DDoS system close to the protected site, or in the network, close to the protected site. Anti-DDoS systems can be either one physical box or a distributed system. The former application means that the detection and mitigation modules are all located in the same box. In comparison, the latter is a distributed system which includes distributed devices responsible for detection (i.e., DPI), mitigation (i.e., scrubbing) and central control respectively. The Xia, et al. Expires December 27, 2015 [Page 2] Internet-Draft Extended DOTS Use Cases June 2015 latter application is better in overall performance and deployment flexibility. To meet the various requirements, the Anti-DDoS system is deployed in various locations in a network. For example, it is deployed near the protected sites for easily detecting application- layer attacks, or near to the attack source to mitigate attacking traffic as soon as possible and prevent them flooding into the network. Due to the challenges of high volume and complexity brought by today's DDoS attacks, the cloud-based Anti-DDoS service is becoming attractive and adopted by more and more customers. By this way, all of the customer's traffic is monitored and scrubbed by the Anti-DDoS service provider in real time, and the customer can manage its own Anti-DDoS service and get the related information through the web- based customer portal. This type of service has the benefits of high performance and scalability. On the other hand, Network Function Virtualization (NFV) is considered as a promising technology used by network operators for its great benefits such as saving cost and speeding up new service's provision. Specifically, for the Anti-DDoS service provided by network operators, they can dynamically create the Anti-DDoS Virtual Network Functions (VNFs) and deploy them to the appropriate locations in the network (i.e., near to the attack source or destination, or both) as needed, because they have the information and control of the whole network. The network operators have the inherent advantage comparing with the third-party Anti-DDoS service providers in this aspect. Furthermore, in addition to the detection by specific devices (e.g., Deep Packet Inspection (DPI)), normal network forwarding devices (e.g., router or switch) can also be involved in the DDoS attack detection by collecting the L3/L4 flow information and sending them to the centralized platform for analysis or data mining. It can be a complimentary way to current DDoS detection mechanism, or an independent detection method by itself. During the last few years, the above technologies are in the process of integration, aiming to develop a comprehensive distributed and collaborative Anti-DDoS solution. One example is the hybrid solution by combining the specified on-premise Anti-DDoS devices with cloud- based Anti-DDoS service. The on-premise devices monitor all the traffic of customer and effectively mitigate the application-layer attacks. When attack size reaches customer-established thresholds, mitigation can be moved to the cloud platform. The ultimate goal of the integration is forming a full spectrum of Layer 3-7 defenses both on-premise and in the cloud. For all the distributed and Xia, et al. Expires December 27, 2015 [Page 3] Internet-Draft Extended DOTS Use Cases June 2015 collaborative Anti-DDoS solutions, the coordination among all the member elements is necessary for managing them, as well as collecting and correlating various information from them so as to form a holistic network security view. [I-D.draft-mglt-dots-use-cases] describes several DDoS Open Threat Signaling (DOTS) use cases for communication across distributed Anti-DDoS devices or between on-premise device and cloud platform. Additionally, it also illustrates the benefits the DOTS work can bring. This draft proposes two new use cases which illustrate more scenarios and multiple ways of implementation within the existing DOTS work scope: o Collect and correlate security related flow information from network forwarding devices and proactively detect the DDoS attack by centralized analysis or data mining; o Dynamic and distributed Anti-DDoS solution by creating VNFs and deploying them to the edge network on demand. 2. Conventions used in this document DDoS - Distributed Denial of Service DOTS - DDos Open Threat Signaling SDN - Software Defined Network NFV - Network Function Virtualization DPI - Deep Packet Inspection CAPEX - Capital Expenditure IPFIX - IP Flow Information Export ACL - Access Control List PoP - Point of Presence Xia, et al. Expires December 27, 2015 [Page 4] Internet-Draft Extended DOTS Use Cases June 2015 3. Data Mining and SDN Based Centralized DDoS Protection With the development of big data and SDN/NFV technologies, new ways of thinking of DDoS protection come along as well. A centralized data mining and SDN-like control platform plays a key role for DDoS protection in this use case. The centralized platform collects L3/L4 flow information from normal network forwarding devices (e.g., router or switch) in the whole network, and then analyzes them with data mining technology to get the holistic view of network DDoS threats leading to an easy DDoS attack detection. Compared with traditional signature based solution, data mining analysis focuses more on the behaviors and patterns of the data flows other than the content of the packets. Multi- dimension to ultra-high dimension models can be built to accurately profile the data flows on-line, which allows detecting and even predicting DDoS attacks in real-time. By this way, operators can greatly reduce the Capital Expenditure (CAPEX), as complicated and expensive detecting devices with Deep Packet Inspection (DPI) functions will be no longer essential. Furthermore, in contrast to dedicated Anti-DDoS devices, the data mining platform is highly scalable without obvious performance limit (the data mining functions can be executed on the elastic computing environment). And it has self-adapting capability to proactively detect new mutations of DDoS attacks. This Anti-DDoS solution involves a large number of elements, i.e., routers, switches, data mining platform, dedicated Anti-DDoS devices, and etc, as well as frequent information exchange between them to fulfill its essential functions, i.e., packet/flow sampling, traffic diversion, sending security policies, and etc. All these elements and related control processes can be integrated into the SDN-like control architecture to improve the automation level so as to reduce operational involvement in DDoS attack management. Xia, et al. Expires December 27, 2015 [Page 5] Internet-Draft Extended DOTS Use Cases June 2015 +----------+2.Monitoring +--------------+ 5.DPI and Scrubbing | SDN | Report | Data Mining | statistics information |Controller<-------------+ Platform <-------------------+ | | | | | +--+-------+ +-----^--------+ | | | | |3.Policies of | | | flow sampling, | | | device security, |1.Flow Sampling | | traffic redirection, | | | source tracking, etc | | ..V...........................|.......... | . . 4. Traffic | . +------+ +------+ +------+ . redirection +----+-----+ . |Router| ... |Router| ... |Router| . and clean | Specified| . | | | | | | <-------------> Anti-DDoS| . +------+ +------+ +------+ . | Device | . . +----------+ . Network . ......................................... Figure 1. Data Mining and SDN Based Centralized Anti-DDoS Use Case As illustrated in Figure 1, a data mining and SDN based centralized Anti-DDoS solution forms a closed-loop control system which includes the following steps: 1. Data mining platform monitors network traffics by big data analysis algorithms based on received IP Flow Information Export (IPFIX) packet sampling records, and it probably needs some extensions to current IPFIX specification for security requirements [I-D.draft-fu-ipfix-network-security]. 2. Data mining platform sends the monitoring report to the SDN controller, which provides the inputs for SDN controller to take next step actions. The report contains the information about the detected DDoS attacks based on the data mining models taken by the platform, the information could be the abnormal flows, the suspicious DDoS attack sources or destinations. 3. Based on the monitoring reports input, the SDN controller can control the network forwarding devices to perform various operations, e.g., adjusting the IPFIX flow sampling policies, or configuring device security policies such as rate-limiting or Access Control List (ACL), or traffic redirection to specified mitigation devices or tracking the attack sources and etc. Xia, et al. Expires December 27, 2015 [Page 6] Internet-Draft Extended DOTS Use Cases June 2015 4. The suspicious traffic is identified and redirected to specified Anti-DDoS devices for further inspection and cleaning, and then clean traffic is transmit back to the network; 5. At last, the DPI and scrubbing statistics information created by the specified Anti-DDoS devices are reported to the data mining platform, which are used to help it to improve and derive further security intelligence by self-learning mechanism. 4. NFV Based Distributed DDoS Mitigation Use Case Previously, due to the deployment limit of physical DDoS mitigation devices and the third-party Anti-DDoS service provider does not have the control of the network infrastructure, the centralized deployment of DDoS mitigation devices is more suitable than the distributed deployment. The centralized way is not optimized in saving network bandwidth, and is possible to make DDoS mitigation devices to be the bottleneck. Now, the distributed deployment of DDoS mitigation appliances to the network edge is becoming feasible as NFV technologies grows quickly and are widely adopted by network operators for managing network infrastructure. By the way of dynamic deployment, the virtual DDoS mitigation appliances (i.e., virtual FW, scrubbing center, etc) are distributed at the network edges to relieve the performance and network bandwidth consuming problems. Generally, for the distributed Anti-DDoS solution, the DDoS monitoring appliances should be closer to the attacked destination for easy detection, and the DDoS mitigation appliances should be closer to the attacking sources for saving network bandwidth. So, the source tracking mechanism is an important part of the whole solution. Xia, et al. Expires December 27, 2015 [Page 7] Internet-Draft Extended DOTS Use Cases June 2015 ............... . Virtual DDoS. . Mitigation . . Appliance . ............... --------- | //-- --\\ 3.Network | // +----------+ \\ Edge |// |Anti-DDoS <---+ \\ Depolyment| /Controller| |1.Monitoring ---- || /+--+-----+-+ | Report /// \\\ | | 2 | | | | / \ | | / | |+----+-----+| +--------+ | | | +V-V+ | || DDoS | | |Service | | +---+-----+-+PoP| 2.Source 2|Monitoring+-+---+ | | | | | +---+ Tracking ||appliance | | +--------+ | ISP2| | | | |+----------+| \ | / | | | | \\\ |// | | | ISP1 | ----| \ +-V-+ +V--+ / ............... | \\ |PoP| |PoP<------------. Virtual DDoS. +--+----+ \\ +-+-+ +--++ 3.Network . Mitigation . | Bot | \\--| |--//Edge . Appliance . |Network| +-------+ Deployment............... +-------+ | | | | +-----+-+ +--+----+ | Other | | Bot | |Network| |Network| +-------+ +-------+ Figure 2. NFV Based Distributed DDoS Mitigation Use Case Figure 2 illustrates the use case including the following steps: 1. DDoS monitoring appliance sends the monitoring report to the Anti-DDoS controller, providing the inputs for next step actions; 2. Anti-DDoS controller performs the attacking source tracing mechanism to locate the network edges (i.e., PoPs) needed to deploy the virtual DDoS mitigation appliances; 3. ISP's NFV orchestration center dynamically deploys the virtual DDoS mitigation appliances on the network edge to filter/clean the attacking traffic. Xia, et al. Expires December 27, 2015 [Page 8] Internet-Draft Extended DOTS Use Cases June 2015 5. Security Considerations This specification talks about the use cases for anti-DDoS solutions, which does not introduce any new security threats to the network. However, if the anti-DDoS system could be hacked by attackers, then it could be used for malicious purposes, such as protecting the attacks, or generating new attacks. 6. IANA Considerations There is no IANA consideration for this specification. 7. References 7.1. Normative References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [2] Crocker, D. and Overell, P.(Editors), "Augmented BNF for Syntax Specifications: ABNF", RFC 2234, Internet Mail Consortium and Demon Internet Ltd., November 1997. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2234] Crocker, D. and Overell, P.(Editors), "Augmented BNF for Syntax Specifications: ABNF", RFC 2234, Internet Mail Consortium and Demon Internet Ltd., November 1997. 7.2. Informative References [I-D.draft-mglt-dots-use-cases] Migault, D., "DDos Open Threat Signaling use cases", work in progress, April 2015. [I-D.draft-fu-ipfix-network-security] Fu, T., Zhang, D., He, D., and Xia, L., "IPFIX Information Elements for inspecting network security issues", work in progress, April 2015. 8. Acknowledgments This document was prepared using 2-Word-v2.0.template.dot. Xia, et al. Expires December 27, 2015 [Page 9] Internet-Draft Extended DOTS Use Cases June 2015 Authors' Addresses Liang Xia (Frank) Huawei 101 Software Avenue, Yuhuatai District Nanjing, Jiangsu 210012 China Email: Frank.xialiang@huawei.com Haibin Song Huawei 101 Software Avenue, Yuhuatai District Nanjing, Jiangsu 210012 China Email: haibin.song@huawei.com Xia, et al. Expires December 27, 2015 [Page 10]