Use Cases for DDoS Open Threat Signaling (DOTS) Telemetry

Telemetry Use Cases This section describes DOTS telemetry use cases that use telemetry attributes included in the DOTS telemetry specification . The following subsections assume that once the DOTS signal channel is established, DOTS clients will proceed with the telemetry setup configuration detailed in . The following telemetry parameters are used:

"measurement-interval" defines the period during which percentiles are computed.
"measurement-sample" defines the time distribution for measuring values that are used to compute percentiles.

Mitigation Resources Assignment

Mitigating Attack Flow of Top Talker Preferentially Some transit providers have to mitigate large-scale DDoS attacks using DDoS Mitigation Systems (DMSes) with limited resources that are already deployed in their network. For example, recently reported large DDoS attacks exceeded several Tbps . This use case enables transit providers to use their DMS efficiently under volume-based DDoS attacks whose volume is more than the available capacity of the DMS. To enable this, the attack traffic of top talkers is redirected to the DMS preferentially by cooperation among forwarding nodes, flow collectors, and orchestrators. gives an overview of this use case. provides an example of a DOTS telemetry message body that is used to signal top talkers (2001:db8:1::/48 and 2001:db8:2::/48).

Mitigating Attack Flow of Top Talker Preferentially | Flow ||C<-->S| Orchestrator | BGP Flowspec | collector |+ | |---> (Redirect) +-----------+ +--------------+ +-------------+ IPFIX +-------------+| BGP Flowspec (Redirect) <---| Forwarding ||<--- | nodes || | || DDoS Attack [ Target(s) ]<========================================== | ++=========================[top talker] | || ++======================[top talker] +----|| ||----+ || || || || |/ |/ +----x--x----+ | DDoS | SNMP or YANG/NETCONF | mitigation |<--- | system | +------------+ C: DOTS client functionality S: DOTS server functionality ]]>

Example of Message Body to Signal Top Talkers The forwarding nodes send traffic statistics to the flow collectors, e.g., using IP Flow Information Export (IPFIX) . When DDoS attacks occur, the flow collectors identify the attack traffic and send information about the top talkers to the orchestrator using the "target-prefix" and "top-talkers" DOTS telemetry attributes. The orchestrator then checks the available capacity of the DMSes using a network management protocol, such as the Simple Network Management Protocol (SNMP) or YANG with the Network Configuration Protocol (YANG/NETCONF) . After that, the orchestrator orders the forwarding nodes to redirect as much of the top talker's traffic to the DMSes as they can handle by dissemination of Flow Specifications using tools such as Border Gateway Protocol Dissemination of Flow Specification Rules (BGP Flowspec) . The flow collector implements a DOTS client while the orchestrator implements a DOTS server.

DMS Selection for Mitigation Transit providers can deploy their DMSes in clusters. Then, they can select the DMS to be used to mitigate a DDoS attack at the time of an attack. This use case enables transit providers to select a DMS with sufficient capacity for mitigation based on the volume of the attack traffic and the capacity of the DMS. gives an overview of this use case. provides an example of a DOTS telemetry message body that is used to signal percentiles for total attack traffic.

DMS Selection for Mitigation | Flow ||C<-->S| Orchestrator | BGP (Redirect) | collector |+ | |---> +-----------+ +--------------+ +------------+ IPFIX +------------+| BGP (Redirect) <---| Forwarding ||<--- | nodes || | || DDoS Attack [Target A] | ++=================== [Destined for Target A] [Target B] | || ++=============== [Destined for Target B] +-||--||-----+ || || ++====++ || (congested DMS) || || +-----------+ || |/ | DMS3 | || +-----x------+ |<--- SNMP or YANG/NETCONF |/ | DMS2 |--------+ +--x---------+ |<--- SNMP or YANG/NETCONF | DMS1 |------+ | |<--- SNMP or YANG/NETCONF +------------+ C: DOTS client functionality S: DOTS server functionality ]]>

Example of Message Body with Total Attack Traffic The forwarding nodes send traffic statistics to the flow collectors, e.g., using IPFIX. When DDoS attacks occur, the flow collectors identify the attack traffic and send information about the attack traffic volume to the orchestrator using the "target-prefix" and "total-attack-traffic" DOTS telemetry attributes. The orchestrator then checks the available capacity of the DMSes using a network management protocol, such as the Simple Network Management Protocol (SNMP) or YANG with the Network Configuration Protocol (YANG/NETCONF) . After that, the orchestrator selects a DMS with sufficient capacity to which attack traffic should be redirected. For example, a simple DMS selection algorithm can be used to choose a DMS whose available capacity is greater than the "peak-g" telemetry attribute indicated in the DOTS telemetry message. The orchestrator orders the appropriate forwarding nodes to redirect the attack traffic to the DMS relying upon routing policies, such as BGP . The detailed DMS selection algorithm is out of the scope of this document. The flow collector implements a DOTS client while the orchestrator implements a DOTS server.

Path Selection for Redirection A transit provider network has multiple paths to convey attack traffic to a DMS. In such a network, the attack traffic can be conveyed while avoiding congested links by adequately selecting an available path. This use case enables transit providers to select a path with sufficient bandwidth for redirecting attack traffic to a DMS according to the bandwidth of the attack traffic and total traffic. gives an overview of this use case. provides an example of a DOTS telemetry message body that is used to signal percentiles for total traffic and total attack traffic.

Path Selection for Redirection | collector ||C<-->S| | BGP Flowspec (Redirect) | |+ | |---> +-----------+ +--------------+ DOTS +------------+ DOTS +------------+ IPFIX --->C| Forwarding | --->C| Forwarding |---> BGP Flowspec | node | | node | (Redirect) --->| | | | DDoS Attack [Target] | ++==================================== +-------||---+ +------------+ || / || / (congested link) || / DOTS +-||----------------+ BGP Flowspec (Redirect) --->C| || Forwarding |<--- | ++=== node | +----||-------------+ |/ +--x-----------+ | DMS | +--------------+ C: DOTS client functionality S: DOTS server functionality ]]>

Example of Message Body with Total Attack Traffic and Total Traffic The forwarding nodes send traffic statistics to the flow collectors, e.g., using IPFIX. When DDoS attacks occur, the flow collectors identify attack traffic and send information about the attack traffic volume to the orchestrator using the "target-prefix" and "total-attack-traffic" DOTS telemetry attributes. The underlying forwarding nodes send the volume of the total traffic passing the node to the orchestrator using the "total-traffic" telemetry attributes. The orchestrator then selects a path with sufficient bandwidth to which the flow of attack traffic should be redirected. For example, a simple selection algorithm can be used to choose a path whose available capacity is greater than the "peak-g" telemetry attribute that was indicated in a DOTS telemetry message. After that, the orchestrator orders the appropriate forwarding nodes to redirect the attack traffic to the DMS by dissemination of Flow Specifications using tools such as BGP Flowspec . The detailed path selection algorithm is out of the scope of this document. The flow collector and forwarding nodes implement a DOTS client while the orchestrator implements a DOTS server.

Short but Extreme Volumetric Attack Mitigation Short but extreme volumetric attacks, such as pulse wave DDoS attacks, are threats to Internet transit provider networks. These attacks start from zero and go to maximum values in a very short time span. The attacks go back to zero and then back to maximum values, repeating in continuous cycles at short intervals. It is difficult for transit providers to mitigate such an attack with their DMSes by redirecting attack flows because this may cause route flapping in the network. The practical way to mitigate short but extreme volumetric attacks is to offload mitigation actions to a forwarding node. This use case enables transit providers to mitigate short but extreme volumetric attacks. Furthermore, the aim is to estimate the network-access success rate based on the bandwidth of the attack traffic. gives an overview of this use case. provides an example of a DOTS telemetry message body that is used to signal total pipe capacity. provides an example of a DOTS telemetry message body that is used to signal various percentiles for total traffic and total attack traffic.

Example of Message Body with Total Pipe Capacity

Example of Message Body with Total Attack Traffic and Total Traffic When DDoS attacks occur, the network management system receives alerts. Then, it sends the target IP address(es) and volume of the DDoS attack traffic to the administrative system using the "target-prefix" and "total-attack-traffic" DOTS telemetry attributes. After that, the administrative system orders relevant forwarding nodes to carry out rate-limiting of all traffic destined to the target based on the pipe capability by the dissemination of the Flow Specifications using tools such as BGP Flowspec . In addition, the administrative system estimates the network-access success rate of the target, which is calculated by (total-pipe-capability / (total-pipe-capability + total-attack-traffic)). Note that total pipe capability information can be gathered by telemetry setup in advance (). The network management system implements a DOTS client while the administrative system implements a DOTS server.

Selecting Mitigation Technique Based on Attack Type Some volumetric attacks, such as DNS amplification attacks, can be detected with high accuracy by checking the Layer 3 or Layer 4 information of attack packets. These attacks can be detected and mitigated through cooperation among forwarding nodes and flow collectors using IPFIX. It may also be necessary to inspect the Layer 7 information of suspicious packets to detect attacks such as DNS water torture attacks . To carry out the DNS water torture attack, an attacker commands a botnet to make thousands of DNS requests for fake subdomains against an authoritative name server. Such attack traffic should be detected and mitigated at the DMS. This use case enables transit providers to select a mitigation technique based on the type of attack traffic, whether it is an amplification attack or not. To use such a technique, the attack traffic is blocked by forwarding nodes or redirected to a DMS based on the attack type through cooperation among forwarding nodes, flow collectors, and an orchestrator. gives an overview of this use case. provides an example of attack mappings that are shared using the DOTS data channel in advance. provides an example of a DOTS telemetry message body that is used to signal percentiles for total attack traffic, total attack traffic protocol, and total attack connection; it also shows attack details. The example in uses the folding defined in for long lines.

Selecting Mitigation Technique Based on Attack Type | | BGP (Redirect) IPFIX | Flow ||C S| Orchestrator | BGP Flowspec (Drop) --->| collector |+ | |---> +-----------+ +--------------+ +------------+ BGP (Redirect) IPFIX +------------+| BGP Flowspec (Drop) <---| Forwarding ||<--- | nodes || DDoS Attack | ++=====||================ | || ||x<==============[DNS Amp] | || |+x<==============[NTP Amp] +-----||-----+ || |/ +-----x------+ | DDoS | | mitigation | | system | +------------+ C: DOTS client functionality S: DOTS server functionality DNS Amp: DNS Amplification NTP Amp: NTP Amplification ]]>

Example of Message Body with Attack Mappings

Example of Message Body with Total Attack Traffic, Total Attack Traffic Protocol, Total Attack Connection, and Attack Detail Attack mappings are shared using the DOTS data channel in advance (). The forwarding nodes send traffic statistics to the flow collectors, e.g., using IPFIX. When DDoS attacks occur, the flow collectors identify attack traffic and send attack type information to the orchestrator using the "vendor-id" and "attack-id" telemetry attributes. The orchestrator then resolves abused port numbers and orders relevant forwarding nodes to block the amplification attack traffic flow by dissemination of Flow Specifications using tools such as BGP Flowspec . Also, the orchestrator orders relevant forwarding nodes to redirect traffic other than the amplification attack traffic using a routing protocol, such as BGP . The flow collector implements a DOTS client while the orchestrator implements a DOTS server.

Detailed DDoS Mitigation Report It is possible for the transit provider to add value to the DDoS mitigation service by reporting ongoing and detailed DDoS countermeasure status to the enterprise network. In addition, it is possible for the transit provider to know whether the DDoS countermeasure is effective or not by receiving reports from the enterprise network. This use case enables the mutual sharing of information about ongoing DDoS countermeasures between the transit provider and the enterprise network. gives an overview of this use case. provides an example of a DOTS telemetry message body that is used to signal total pipe capacity from the enterprise network administrator to the orchestrator in the ISP. provides an example of a DOTS telemetry message body that is used to signal percentiles for total traffic and total attack traffic as well as attack details from the orchestrator to the network.

Detailed DDoS Mitigation Report | Orchestrator | | | | strator | | | +--------------+ | | +------------+ | | C ^ | | | | | DOTS | | | | S v | | | | +---------------+ DDoS Attack | | | | DMS |+======= | | | +---------------+ | | | | || Clean | | | | |/ Traffic | | +---------+ | | +---------------+ | | | DDoS | | | | Forwarding | Normal Traffic | | Target |<================| Node |======== | +---------+ | Link1 | +---------------+ | +------------------+ +------------------------+ C: DOTS client functionality S: DOTS server functionality ]]>

Example of Message Body with Total Pipe Capacity

Example of Message Body with Total Traffic, Total Attack Traffic, and Attack Detail The network management system in the enterprise network reports limits of incoming traffic volume from the transit provider to the orchestrator in the transit provider in advance. It is reported using the "total-pipe-capacity" telemetry attribute in the DOTS telemetry setup. When DDoS attacks occur, DDoS mitigation orchestration is carried out in the transit provider. Then, the DDoS mitigation systems report the status of DDoS countermeasures to the orchestrator by sending "attack-detail" telemetry attributes. After that, the orchestrator integrates the reports from the DDoS mitigation systems, while removing duplicate contents, and sends the integrated report to a network administrator using DOTS telemetry periodically. During the DDoS mitigation, the orchestrator in the transit provider retrieves the link congestion status from the network manager in the enterprise network using the "total-traffic" telemetry attributes. Then, the orchestrator checks whether or not the DDoS countermeasures are effective by comparing the "total-traffic" and the "total-pipe-capacity" telemetry attributes. The DMS implements a DOTS server while the orchestrator behaves as a DOTS client and a server in the transit provider. In addition, the network administrator implements a DOTS client.

Tuning Mitigation Resources

Supervised Machine Learning of Flow Collector DDoS detection based on tools, such as IPFIX, is a lighter-weight method of detecting DDoS attacks compared to DMSes in Internet transit provider networks. DDoS detection based on the DMSes is a more accurate method for detecting attack traffic than flow monitoring. The aim of this use case is to increase flow collectors' detection accuracy by carrying out supervised machine-learning techniques according to attack detail reported by the DMSes. To use such a technique, forwarding nodes, flow collectors, and a DMS should cooperate. gives an overview of this use case. provides an example of a DOTS telemetry message body that is used to signal attack detail.

Supervised Machine Learning of Flow Collector | collector || +-----------++ +------------+ IPFIX +------------+| <---| Forwarding || | nodes || DDoS Attack [ Target ] | ++============================== | || ++=========================== | || || ++======================== +---||-|| ||-+ || || || |/ |/ |/ DOTS +---X--X--X--+ --->C| DDoS | | mitigation | | system | +------------+ C: DOTS client functionality S: DOTS server functionality ]]>

Example of Message Body with Attack Detail and Top Talkers The forwarding nodes send traffic statistics to the flow collectors, e.g., using IPFIX. When DDoS attacks occur, DDoS mitigation orchestration is carried out (as per ), and the DMS mitigates all attack traffic destined for a target. The DDoS mitigation system reports the "vendor-id", "attack-id", and "top-talker" telemetry attributes to a flow collector. After mitigating a DDoS attack, the flow collector attaches outputs of the DMS as labels to the statistics of the traffic flow of top talkers. The outputs, for example, are the "attack-id" telemetry attributes. The flow collector then carries out supervised machine learning to increase its detection accuracy, setting the statistics as an explanatory variable and setting the labels as an objective variable. The DMS implements a DOTS client while the flow collector implements a DOTS server.

Unsupervised Machine Learning of Flow Collector DMSes can detect DDoS attack traffic, which means DMSes can also identify clean traffic. This use case supports unsupervised machine learning for anomaly detection according to a baseline reported by the DMSes. To use such a technique, forwarding nodes, flow collectors, and a DMS should cooperate. gives an overview of this use case. provides an example of a DOTS telemetry message body that is used to signal baseline.

Unsupervised Machine Learning of Flow Collector S| collector || +-----------++ +------------+ +------------+| | Forwarding || | nodes || Traffic [ Destination ] <== =============++============================== | || || | || |+ +---||-------+ || |/ DOTS +---X--------+ --->C| DDoS | | mitigation | | system | +------------+ C: DOTS client functionality S: DOTS server functionality ]]>

Example of Message Body with Traffic Baseline The forwarding nodes carry out traffic mirroring to copy the traffic destined to an IP address and to monitor the traffic by a DMS. The DMS then identifies clean traffic and reports the baseline telemetry attributes to the flow collector using DOTS telemetry. The flow collector then carries out unsupervised machine learning to be able to carry out anomaly detection. The DMS implements a DOTS client while the flow collector implements a DOTS server.