1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
|
Internet Engineering Task Force (IETF) A. Mortensen, Ed.
Request for Comments: 8811 Forcepoint
Category: Informational T. Reddy.K, Ed.
ISSN: 2070-1721 McAfee, Inc.
F. Andreasen
Cisco
N. Teague
Iron Mountain
R. Compton
Charter
August 2020
DDoS Open Threat Signaling (DOTS) Architecture
Abstract
This document describes an architecture for establishing and
maintaining Distributed Denial-of-Service (DDoS) Open Threat
Signaling (DOTS) within and between domains. The document does not
specify protocols or protocol extensions, instead focusing on
defining architectural relationships, components, and concepts used
in a DOTS deployment.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are candidates for any level of Internet
Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8811.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Context and Motivation
1.1. Terminology
1.1.1. Key Words
1.1.2. Definition of Terms
1.2. Scope
1.3. Assumptions
2. DOTS Architecture
2.1. DOTS Operations
2.2. Components
2.2.1. DOTS Client
2.2.2. DOTS Server
2.2.3. DOTS Gateway
2.3. DOTS Agent Relationships
2.3.1. Gatewayed Signaling
3. Concepts
3.1. DOTS Sessions
3.1.1. Preconditions
3.1.2. Establishing the DOTS Session
3.1.3. Maintaining the DOTS Session
3.2. Modes of Signaling
3.2.1. Direct Signaling
3.2.2. Redirected Signaling
3.2.3. Recursive Signaling
3.2.4. Anycast Signaling
3.2.5. Signaling Considerations for Network Address
Translation
3.3. Triggering Requests for Mitigation
3.3.1. Manual Mitigation Request
3.3.2. Automated Conditional Mitigation Request
3.3.3. Automated Mitigation on Loss of Signal
4. IANA Considerations
5. Security Considerations
6. References
6.1. Normative References
6.2. Informative References
Acknowledgments
Contributors
Authors' Addresses
1. Context and Motivation
Signaling the need for help to defend against an active distributed
denial-of-service (DDoS) attack requires a common understanding of
mechanisms and roles among the parties coordinating a defensive
response. The signaling layer and supplementary messaging are the
focus of DDoS Open Threat Signaling (DOTS). DOTS defines a method of
coordinating defensive measures among willing peers to mitigate
attacks quickly and efficiently, enabling hybrid attack responses
coordinated locally at or near the target of an active attack, or
anywhere in path between attack sources and target. Sample DOTS use
cases are elaborated in [DOTS-USE-CASES].
This document describes an architecture used in establishing,
maintaining, or terminating a DOTS relationship within a domain or
between domains.
1.1. Terminology
1.1.1. Key Words
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
1.1.2. Definition of Terms
This document uses the terms defined in [RFC8612].
1.2. Scope
In this architecture, DOTS clients and servers communicate using DOTS
signal channel [RFC8782] and data channel [RFC8783] protocols.
The DOTS architecture presented here is applicable across network
administrative domains, for example, between an enterprise domain and
the domain of a third-party attack mitigation service, as well as to
a single administrative domain. DOTS is generally assumed to be most
effective when aiding coordination of attack response between two or
more participating networks, but single domain scenarios are valuable
in their own right, as when aggregating intra-domain DOTS client
signals for an inter-domain coordinated attack response.
This document does not address any administrative or business
agreements that may be established between involved DOTS parties.
Those considerations are out of scope. Regardless, this document
assumes necessary authentication and authorization mechanisms are put
in place so that only authorized clients can invoke the DOTS service.
A detailed set of DOTS requirements are discussed in [RFC8612], and
the DOTS architecture is designed to follow those requirements. Only
new behavioral requirements are described in this document.
1.3. Assumptions
This document makes the following assumptions:
* All domains in which DOTS is deployed are assumed to offer the
required connectivity between DOTS agents and any intermediary
network elements, but the architecture imposes no additional
limitations on the form of connectivity.
* Congestion and resource exhaustion are intended outcomes of a DDoS
attack [RFC4732]. Some operators may utilize non-impacted paths
or networks for DOTS. However, in general, conditions should be
assumed to be hostile, and DOTS must be able to function in all
circumstances, including when the signaling path is significantly
impaired. Congestion control requirements are discussed in
Section 3 of [RFC8612]. The DOTS signal channel defined in
[RFC8782] is designed to be extremely resilient under extremely
hostile network conditions, and it provides continued contact
between DOTS agents even as DDoS attack traffic saturates the
link.
* There is no universal DDoS attack scale threshold triggering a
coordinated response across administrative domains. A network
domain administrator or service or application owner may
arbitrarily set attack scale threshold triggers, or manually send
requests for mitigation.
* Mitigation requests may be sent to one or more upstream DOTS
servers based on criteria determined by DOTS client administrators
and the underlying network configuration. The number of DOTS
servers with which a given DOTS client has established
communications is determined by local policy and is deployment
specific. For example, a DOTS client of a multihomed network may
support built-in policies to establish DOTS relationships with
DOTS servers located upstream of each interconnection link.
* The mitigation capacity and/or capability of domains receiving
requests for coordinated attack response is opaque to the domains
sending the request. The domain receiving the DOTS client signal
may or may not have sufficient capacity or capability to filter
any or all DDoS attack traffic directed at a target. In either
case, the upstream DOTS server may redirect a request to another
DOTS server. Redirection may be local to the redirecting DOTS
server's domain or may involve a third-party domain.
* DOTS client and server signals, as well as messages sent through
the data channel, are sent across any transit networks with the
same probability of delivery as any other traffic between the DOTS
client domain and the DOTS server domain. Any encapsulation
required for successful delivery is left untouched by transit
network elements. DOTS servers and DOTS clients cannot assume any
preferential treatment of DOTS signals. Such preferential
treatment may be available in some deployments (e.g., intra-domain
scenarios), and the DOTS architecture does not preclude its use
when available. However, DOTS itself does not address how that
may be done.
* The architecture allows for, but does not assume, the presence of
Quality-of-Service (QoS) policy agreements between DOTS-enabled
peer networks or local QoS prioritization aimed at ensuring
delivery of DOTS messages between DOTS agents. QoS is an
operational consideration only, not a functional part of the DOTS
architecture.
* The signal and data channels are loosely coupled and might not
terminate on the same DOTS server. How the DOTS servers
synchronize the DOTS configuration is out of scope of this
specification.
2. DOTS Architecture
The basic high-level DOTS architecture is illustrated in Figure 1:
+-----------+ +-------------+
| Mitigator | ~~~~~~~~~~ | DOTS Server |
+-----------+ +-------------+
|
|
|
+---------------+ +-------------+
| Attack Target | ~~~~~~ | DOTS Client |
+---------------+ +-------------+
Figure 1: Basic DOTS Architecture
A simple example instantiation of the DOTS architecture could be an
enterprise as the attack target for a volumetric DDoS attack and an
upstream DDoS mitigation service as the mitigator. The service
provided by the mitigator is called "DDoS mitigation service". The
enterprise (attack target) is connected to the Internet via a link
that is getting saturated, and the enterprise suspects it is under
DDoS attack. The enterprise has a DOTS client, which obtains
information about the DDoS attack and signals the DOTS server for
help in mitigating the attack. In turn, the DOTS server invokes one
or more mitigators, which are tasked with mitigating the actual DDoS
attack and, hence, aim to suppress the attack traffic while allowing
valid traffic to reach the attack target.
The scope of the DOTS specifications is the interfaces between the
DOTS client and DOTS server. The interfaces to the attack target and
the mitigator are out of scope of DOTS. Similarly, the operation of
both the attack target and the mitigator is out of scope of DOTS.
Thus, DOTS specifies neither how an attack target decides it is under
DDoS attack nor does DOTS specify how a mitigator may actually
mitigate such an attack. A DOTS client's request for mitigation is
advisory in nature and might not lead to any mitigation at all,
depending on the DOTS server domain's capacity and willingness to
mitigate on behalf of the DOTS client domain.
The DOTS client may be provided with a list of DOTS servers, each
associated with one or more IP addresses. These addresses may or may
not be of the same address family. The DOTS client establishes one
or more sessions by connecting to the provided DOTS server addresses.
As illustrated in Figure 2, there are two interfaces between a DOTS
server and a DOTS client: a signal channel and (optionally) a data
channel.
+---------------+ +---------------+
| | <------- Signal Channel ------> | |
| DOTS Client | | DOTS Server |
| | <======= Data Channel ======> | |
+---------------+ +---------------+
Figure 2: DOTS Interfaces
The primary purpose of the signal channel is for a DOTS client to ask
a DOTS server for help in mitigating an attack and for the DOTS
server to inform the DOTS client about the status of such mitigation.
The DOTS client does this by sending a client signal that contains
information about the attack target(s). The client signal may also
include telemetry information about the attack, if the DOTS client
has such information available. In turn, the DOTS server sends a
server signal to inform the DOTS client of whether it will honor the
mitigation request. Assuming it will, the DOTS server initiates
attack mitigation and periodically informs the DOTS client about the
status of the mitigation. Similarly, the DOTS client periodically
informs the DOTS server about the client's status, which, at a
minimum, provides client (attack target) health information; it
should also include efficacy information about the attack mitigation
as it is now seen by the client. At some point, the DOTS client may
decide to terminate the server-side attack mitigation, which it
indicates to the DOTS server over the signal channel. A mitigation
may also be terminated if a DOTS client-specified mitigation lifetime
is exceeded. Note that the signal channel may need to operate over a
link that is experiencing a DDoS attack and, hence, is subject to
severe packet loss and high latency.
While DOTS is able to request mitigation with just the signal
channel, the addition of the DOTS data channel provides for
additional, more efficient capabilities. The primary purpose of the
data channel is to support DOTS-related configuration and policy
information exchange between the DOTS client and the DOTS server.
Examples of such information include, but are not limited to:
* Creating identifiers, such as names or aliases, for resources for
which mitigation may be requested. Such identifiers may then be
used in subsequent signal channel exchanges to refer more
efficiently to the resources under attack.
* Drop-list management, which enables a DOTS client to inform the
DOTS server about sources to suppress.
* Accept-list management, which enables a DOTS client to inform the
DOTS server about sources from which traffic is always accepted.
* Filter management, which enables a DOTS client to install or
remove traffic filters dropping or rate-limiting unwanted traffic.
* DOTS client provisioning.
Note that, while it is possible to exchange the above information
before, during, or after a DDoS attack, DOTS requires reliable
delivery of this information and does not provide any special means
for ensuring timely delivery of it during an attack. In practice,
this means that DOTS deployments should rely on such information
being exchanged only under normal traffic conditions.
2.1. DOTS Operations
DOTS does not prescribe any specific deployment models; however, DOTS
is designed with some specific requirements around the different DOTS
agents and their relationships.
First of all, a DOTS agent belongs to a domain that has an identity
that can be authenticated and authorized. DOTS agents communicate
with each other over a mutually authenticated signal channel and
(optionally) data channel. However, before they can do so, a service
relationship needs to be established between them. The details and
means by which this is done is outside the scope of DOTS; however, an
example would be for an enterprise A (DOTS client) to sign up for
DDoS service from provider B (DOTS server). This would establish a
(service) relationship between the two that enables enterprise A's
DOTS client to establish a signal channel with provider B's DOTS
server. A and B will authenticate each other, and B can verify that
A is authorized for its service.
From an operational and design point of view, DOTS assumes that the
above relationship is established prior to a request for DDoS attack
mitigation. In particular, it is assumed that bidirectional
communication is possible at this time between the DOTS client and
DOTS server. Furthermore, it is assumed that additional service
provisioning, configuration, and information exchange can be
performed by use of the data channel if operationally required. It
is not until this point that the mitigation service is available for
use.
Once the mutually authenticated signal channel has been established,
it will remain active. This is done to increase the likelihood that
the DOTS client can signal the DOTS server for help when the attack
target is being flooded, and similarly raise the probability that
DOTS server signals reach the client regardless of inbound link
congestion. This does not necessarily imply that the attack target
and the DOTS client have to be co-located in the same administrative
domain, but it is expected to be a common scenario.
DDoS mitigation with the help of an upstream mitigator may involve
some form of traffic redirection whereby traffic destined for the
attack target is steered towards the mitigator. Common mechanisms to
achieve this redirection depend on BGP [RFC4271] and DNS [RFC1035].
In turn, the mitigator inspects and scrubs the traffic and forwards
the resulting (hopefully non-attack) traffic to the attack target.
Thus, when a DOTS server receives an attack mitigation request from a
DOTS client, it can be viewed as a way of causing traffic redirection
for the attack target indicated.
DOTS relies on mutual authentication and the pre-established service
relationship between the DOTS client domain and the DOTS server
domain to provide authorization. The DOTS server should enforce
authorization mechanisms to restrict the mitigation scope a DOTS
client can request, but such authorization mechanisms are deployment
specific.
Although co-location of DOTS server and mitigator within the same
domain is expected to be a common deployment model, it is assumed
that operators may require alternative models. Nothing in this
document precludes such alternatives.
2.2. Components
2.2.1. DOTS Client
A DOTS client is a DOTS agent from which requests for help
coordinating an attack response originate. The requests may be in
response to an active, ongoing attack against a target in the DOTS
client domain, but no active attack is required for a DOTS client to
request help. Operators may wish to have upstream mitigators in the
network path for an indefinite period and are restricted only by
business relationships when it comes to duration and scope of
requested mitigation.
The DOTS client requests attack response coordination from a DOTS
server over the signal channel, including in the request the DOTS
client's desired mitigation scoping, as described in [RFC8612] (SIG-
008). The actual mitigation scope and countermeasures used in
response to the attack are up to the DOTS server and mitigator
operators, as the DOTS client may have a narrow perspective on the
ongoing attack. As such, the DOTS client's request for mitigation
should be considered advisory: guarantees of DOTS server availability
or mitigation capacity constitute Service Level Agreements (SLAs) and
are out of scope for this document.
The DOTS client adjusts mitigation scope and provides available
mitigation feedback (e.g., mitigation efficacy) at the direction of
its local administrator. Such direction may involve manual or
automated adjustments in response to updates from the DOTS server.
To provide a metric of signal health and distinguish an idle signal
channel from a disconnected or defunct session, the DOTS client sends
a heartbeat over the signal channel to maintain its half of the
channel. The DOTS client similarly expects a heartbeat from the DOTS
server and may consider a session terminated in the extended absence
of a DOTS server heartbeat.
2.2.2. DOTS Server
A DOTS server is a DOTS agent capable of receiving, processing, and
possibly acting on requests for help coordinating attack responses
from DOTS clients. The DOTS server authenticates and authorizes DOTS
clients as described in Section 3.1 and maintains session state,
tracks requests for mitigation, reports on the status of active
mitigations, and terminates sessions in the extended absence of a
client heartbeat or when a session times out.
Assuming the preconditions discussed below exist, a DOTS client
maintaining an active session with a DOTS server may reasonably
expect some level of mitigation in response to a request for
coordinated attack response.
For a given DOTS client (administrative) domain, the DOTS server
needs to be able to determine whether a given resource is in that
domain. For example, this could take the form of associating a set
of IP addresses and/or prefixes per DOTS client domain. The DOTS
server enforces authorization of signals for mitigation, filtering
rules, and aliases for resources from DOTS clients. The mechanism of
enforcement is not in scope for this document but is expected to
restrict mitigation requests, filtering rules, aliases for addresses
and prefixes, and/or services owned by the DOTS client domain, such
that a DOTS client from one domain is not able to influence the
network path to another domain. A DOTS server MUST reject mitigation
requests, filtering rules, and aliases for resources not owned by the
requesting DOTS client's administrative domain. The exact mechanism
for the DOTS servers to validate that the resources are within the
scope of the DOTS client domain is deployment specific. For example,
if the DOTS client domain uses Provider-Aggregatable prefixes for its
resources and leverages the DDoS mitigation service of the Internet
Transit Provider (ITP); the ITP knows the prefixes assigned to the
DOTS client domain because they are assigned by the ITP itself.
However, if the DDoS Mitigation is offered by a third-party DDoS
mitigation service provider; it does not know the resources owned by
the DOTS client domain. The DDoS mitigation service provider and the
DOTS client domain can opt to use the identifier validation
challenges discussed in [RFC8555] and [RFC8738] to identify whether
or not the DOTS client domain actually controls the resources. The
challenges for validating control of resources must be performed when
no attack traffic is present and works only for "dns" and "ip"
identifier types. Further, if the DOTS client lies about the
resources owned by the DOTS client domain, the DDoS mitigation
service provider can impose penalties for violating the SLA. A DOTS
server MAY also refuse a DOTS client's mitigation request for
arbitrary reasons, within any limits imposed by business or SLAs
between client and server domains. If a DOTS server refuses a DOTS
client's request for mitigation, the DOTS server MUST include the
refusal reason in the server signal sent to the client.
A DOTS server is in regular contact with one or more mitigators. If
a DOTS server accepts a DOTS client's request for help, the DOTS
server forwards a translated form of that request to the mitigator(s)
responsible for scrubbing attack traffic. Note that the form of the
translated request passed from the DOTS server to the mitigator is
not in scope; it may be as simple as an alert to mitigator operators,
or highly automated using vendor or open application programming
interfaces supported by the mitigator. The DOTS server MUST report
the actual scope of any mitigation enabled on behalf of a client.
The DOTS server SHOULD retrieve available metrics for any mitigations
activated on behalf of a DOTS client and SHOULD include them in
server signals sent to the DOTS client originating the request for
mitigation.
To provide a metric of signal health and distinguish an idle signal
channel from a disconnected or defunct channel, the DOTS server MUST
send a heartbeat over the signal channel to maintain its half of the
channel. The DOTS server similarly expects a heartbeat from the DOTS
client and MAY consider a session terminated in the extended absence
of a DOTS client heartbeat.
2.2.3. DOTS Gateway
Traditional client/server relationships may be expanded by chaining
DOTS sessions. This chaining is enabled through "logical
concatenation" of a DOTS server and a DOTS client, resulting in an
application analogous to the Session Initiation Protocol (SIP)
[RFC3261] logical entity of a Back-to-Back User Agent (B2BUA)
[RFC7092]. The term "DOTS gateway" is used here in the descriptions
of selected scenarios involving this application.
A DOTS gateway may be deployed client side, server side, or both.
The gateway may terminate multiple discrete client connections and
may aggregate these into a single or multiple DOTS session(s).
The DOTS gateway will appear as a server to its downstream agents and
as a client to its upstream agents, a functional concatenation of the
DOTS client and server roles, as depicted in Figure 3:
+-------------+
| | D | |
+----+ | | O | | +----+
| c1 |----------| s1 | T | c2 |---------| s2 |
+----+ | | S | | +----+
| | G | |
+-------------+
Figure 3: DOTS Gateway
The DOTS gateway MUST perform full stack DOTS session termination and
reorigination between its client and server side. The details of how
this is achieved are implementation specific.
2.3. DOTS Agent Relationships
So far, we have only considered a relatively simple scenario of a
single DOTS client associated with a single DOTS server; however,
DOTS supports more advanced relationships.
A DOTS server may be associated with one or more DOTS clients, and
those DOTS clients may belong to different domains. An example
scenario is a mitigation provider serving multiple attack targets
(Figure 4).
DOTS clients DOTS server
+---+
| c |-----------
+---+ \
c1.example.org \
\
+---+ \ +---+
| c |----------------| S |
+---+ / +---+
c1.example.com / dots1.example.net
/
+---+ /
| c |-----------
+---+
c2.example.com
Figure 4: DOTS Server with Multiple Clients
A DOTS client may be associated with one or more DOTS servers, and
those DOTS servers may belong to different domains. This may be to
ensure high availability or coordinate mitigation with more than one
directly connected ISP. An example scenario is for an enterprise to
have DDoS mitigation service from multiple providers, as shown in
Figure 5.
DOTS client DOTS servers
+---+
-----------| S |
/ +---+
/ dots1.example.net
/
+---+/ +---+
| c |---------------| S |
+---+\ +---+
\ dots.example.org
\
\ +---+
-----------| S |
+---+
c.example.com dots2.example.net
Figure 5: Multihomed DOTS Client
Deploying a multihomed client requires extra care and planning, as
the DOTS servers with which the multihomed client communicates might
not be affiliated. Should the multihomed client simultaneously
request for mitigation from all servers with which it has established
signal channels, the client may unintentionally inflict additional
network disruption on the resources it intends to protect. In one of
the worst cases, a multihomed DOTS client could cause a permanent
routing loop of traffic destined for the client's protected services,
as the uncoordinated DOTS servers' mitigators all try to divert that
traffic to their own scrubbing centers.
The DOTS protocol itself provides no fool-proof method to prevent
such self-inflicted harms as a result of deploying multihomed DOTS
clients. If DOTS client implementations nevertheless include support
for multihoming, they are expected to be aware of the risks, and
consequently to include measures aimed at reducing the likelihood of
negative outcomes. Simple measures might include:
* Requesting mitigation serially, ensuring only one mitigation
request for a given address space is active at any given time;
* Dividing the protected resources among the DOTS servers, such that
no two mitigators will be attempting to divert and scrub the same
traffic;
* Restricting multihoming to deployments in which all DOTS servers
are coordinating management of a shared pool of mitigation
resources.
2.3.1. Gatewayed Signaling
As discussed in Section 2.2.3, a DOTS gateway is a logical function
chaining DOTS sessions through concatenation of a DOTS server and
DOTS client.
An example scenario, as shown in Figure 6 and Figure 7, is for an
enterprise to have deployed multiple DOTS-capable devices that are
able to signal intra-domain using TCP [RFC0793] on uncongested links
to a DOTS gateway that may then transform these to a UDP [RFC0768]
transport inter-domain where connection-oriented transports may
degrade; this applies to the signal channel only, as the data channel
requires a connection-oriented transport. The relationship between
the gateway and its upstream agents is opaque to the initial clients.
+---+
| c |\
+---+ \ +---+
\-----TCP-----| D | +---+
+---+ | O | | |
| c |--------TCP-----| T |------UDP------| S |
+---+ | S | | |
/-----TCP-----| G | +---+
+---+ / +---+
| c |/
+---+
example.com example.com example.net
DOTS clients DOTS gateway (DOTSG) DOTS server
Figure 6: Client-Side Gateway with Aggregation
+---+
| c |\
+---+ \ +---+
\-----TCP-----| D |------UDP------+---+
+---+ | O | | |
| c |--------TCP-----| T |------UDP------| S |
+---+ | S | | |
/-----TCP-----| G |------UDP------+---+
+---+ / +---+
| c |/
+---+
example.com example.com example.net
DOTS clients DOTS gateway (DOTSG) DOTS server
Figure 7: Client-Side Gateway without Aggregation
This may similarly be deployed in the inverse scenario where the
gateway resides in the server-side domain and may be used to
terminate and/or aggregate multiple clients to a single transport as
shown in Figure 8 and Figure 9.
+---+
| c |\
+---+ \ +---+
\-----UDP-----| D | +---+
+---+ | O | | |
| c |--------TCP-----| T |------TCP------| S |
+---+ | S | | |
/-----TCP-----| G | +---+
+---+ / +---+
| c |/
+---+
example.com example.net example.net
DOTS clients DOTS gateway (DOTSG) DOTS server
Figure 8: Server-Side Gateway with Aggregation
+---+
| c |\
+---+ \ +---+
\-----UDP-----| D |------TCP------+---+
+---+ | O | | |
| c |--------TCP-----| T |------TCP------| S |
+---+ | S | | |
/-----UDP-----| G |------TCP------+---+
+---+ / +---+
| c |/
+---+
example.com example.net example.net
DOTS clients DOTS gateway (DOTSG) DOTS server
Figure 9: Server-Side Gateway without Aggregation
This document anticipates scenarios involving multiple DOTS gateways.
An example is a DOTS gateway at the network client's side and another
one at the server side. The first gateway can be located at Customer
Premises Equipment (CPE) to aggregate requests from multiple DOTS
clients enabled in an enterprise network. The second DOTS gateway is
deployed on the provider side. This scenario can be seen as a
combination of the client-side and server-side scenarios.
3. Concepts
3.1. DOTS Sessions
In order for DOTS to be effective as a vehicle for DDoS mitigation
requests, one or more DOTS clients must establish ongoing
communication with one or more DOTS servers. While the preconditions
for enabling DOTS in or among network domains may also involve
business relationships, SLAs, or other formal or informal
understandings between network operators, such considerations are out
of scope for this document.
A DOTS session is established to support bilateral exchange of data
between an associated DOTS client and a DOTS server. In the DOTS
architecture, data is exchanged between DOTS agents over signal and
data channels. As such, a DOTS session can be a DOTS signal channel
session, a DOTS data channel session, or both. The DOTS server
couples the DOTS signal and data channel sessions using the DOTS
client identity. The DOTS session is further elaborated in the DOTS
signal channel protocol defined in [RFC8782] and the DOTS data
channel protocol defined in [RFC8783].
A DOTS agent can maintain one or more DOTS sessions.
A DOTS signal channel session is associated with a single transport
connection (TCP or UDP session) and a security association (a TLS or
DTLS session). Similarly, a DOTS data channel session is associated
with a single TCP connection and a TLS security association.
Mitigation requests created using the DOTS signal channel are not
bound to the DOTS signal channel session. Instead, mitigation
requests are associated with a DOTS client and can be managed using
different DOTS signal channel sessions.
3.1.1. Preconditions
Prior to establishing a DOTS session between agents, the owners of
the networks, domains, services or applications involved are assumed
to have agreed upon the terms of the relationship involved. Such
agreements are out of scope for this document but must be in place
for a functional DOTS architecture.
It is assumed that, as part of any DOTS service agreement, the DOTS
client is provided with all data and metadata required to establish
communication with the DOTS server. Such data and metadata would
include any cryptographic information necessary to meet the message
confidentiality, integrity, and authenticity requirement (SEC-002) in
[RFC8612] and might also include the pool of DOTS server addresses
and ports the DOTS client should use for signal and data channel
messaging.
3.1.2. Establishing the DOTS Session
With the required business agreements in place, the DOTS client
initiates a DOTS session by contacting its DOTS server(s) over the
signal channel and (possibly) the data channel. To allow for DOTS
service flexibility, neither the order of contact nor the time
interval between channel creations is specified. A DOTS client MAY
establish the signal channel first, and then the data channel, or
vice versa.
The methods by which a DOTS client receives the address and
associated service details of the DOTS server are not prescribed by
this document. For example, a DOTS client may be directly configured
to use a specific DOTS server IP address and port, and be directly
provided with any data necessary to satisfy the Peer Mutual
Authentication requirement (SEC-001) in [RFC8612], such as symmetric
or asymmetric keys, usernames, passwords, etc. All configuration and
authentication information in this scenario is provided out of band
by the domain operating the DOTS server.
At the other extreme, the architecture in this document allows for a
form of DOTS client auto-provisioning. For example, the domain
operating the DOTS server or servers might provide the client domain
only with symmetric or asymmetric keys to authenticate the
provisioned DOTS clients. Only the keys would then be directly
configured on DOTS clients, but the remaining configuration required
to provision the DOTS clients could be learned through mechanisms
similar to DNS SRV [RFC2782] or DNS Service Discovery [RFC6763].
The DOTS client SHOULD successfully authenticate and exchange
messages with the DOTS server over both the signal and (if used) data
channel as soon as possible to confirm that both channels are
operational.
As described in [RFC8612] (DM-008), the DOTS client can configure
preferred values for acceptable signal loss, mitigation lifetime, and
heartbeat intervals when establishing the DOTS signal channel
session. A DOTS signal channel session is not active until DOTS
agents have agreed on the values for these DOTS session parameters, a
process defined by the protocol.
Once the DOTS client begins receiving DOTS server signals, the DOTS
session is active. At any time during the DOTS session, the DOTS
client may use the data channel to manage aliases, manage drop- and
accept-listed prefixes or addresses, leverage vendor-specific
extensions, and so on. Note that unlike the signal channel, there is
no requirement that the data channel remains operational in attack
conditions. (See "Data Channel Requirements" Section 2.3 of
[RFC8612]).
3.1.3. Maintaining the DOTS Session
DOTS clients and servers periodically send heartbeats to each other
over the signal channel, discussed in [RFC8612] (SIG-004). DOTS
agent operators SHOULD configure the heartbeat interval such that the
frequency does not lead to accidental denials of service due to the
overwhelming number of heartbeats a DOTS agent must field.
Either DOTS agent may consider a DOTS signal channel session
terminated in the extended absence of a heartbeat from its peer
agent. The period of that absence will be established in the
protocol definition.
3.2. Modes of Signaling
This section examines the modes of signaling between agents in a DOTS
architecture.
3.2.1. Direct Signaling
A DOTS session may take the form of direct signaling between the DOTS
clients and servers, as shown in Figure 10.
+-------------+ +-------------+
| DOTS client |<------signal session------>| DOTS server |
+-------------+ +-------------+
Figure 10: Direct Signaling
In a direct DOTS session, the DOTS client and server are
communicating directly. Direct signaling may exist inter- or intra-
domain. The DOTS session is abstracted from the underlying networks
or network elements the signals traverse; in direct signaling, the
DOTS client and server are logically adjacent.
3.2.2. Redirected Signaling
In certain circumstances, a DOTS server may want to redirect a DOTS
client to an alternative DOTS server for a DOTS signal channel
session. Such circumstances include but are not limited to:
* Maximum number of DOTS signal channel sessions with clients has
been reached;
* Mitigation capacity exhaustion in the mitigator with which the
specific DOTS server is communicating;
* Mitigator outage or other downtime such as scheduled maintenance;
* Scheduled DOTS server maintenance;
* Scheduled modifications to the network path between DOTS server
and DOTS client.
A basic redirected DOTS signal channel session resembles the
following, as shown in Figure 11.
+-------------+ +---------------+
| |<-(1)--- DOTS signal ------>| |
| | channel session 1 | |
| |<=(2)== redirect to B ======| |
| DOTS client | | DOTS server A |
| |X-(4)--- DOTS signal ------X| |
| | channel session 1 | |
| | | |
+-------------+ +---------------+
^
|
(3) DOTS signal channel
| session 2
v
+---------------+
| DOTS server B |
+---------------+
Figure 11: Redirected Signaling
1. Previously established DOTS signal channel session 1 exists
between a DOTS client and DOTS server A.
2. DOTS server A sends a server signal redirecting the client to
DOTS server B.
3. If the DOTS client does not already have a separate DOTS signal
channel session with the redirection target, the DOTS client
initiates and establishes DOTS signal channel session 2 with DOTS
server B.
4. Having redirected the DOTS client, DOTS server A ceases sending
server signals. The DOTS client likewise stops sending client
signals to DOTS server A. DOTS signal channel session 1 is
terminated.
3.2.3. Recursive Signaling
DOTS is centered around improving the speed and efficiency of a
coordinated response to DDoS attacks. One scenario not yet discussed
involves coordination among federated domains operating DOTS servers
and mitigators.
In the course of normal DOTS operations, a DOTS client communicates
the need for mitigation to a DOTS server, and that server initiates
mitigation on a mitigator with which the server has an established
service relationship. The operator of the mitigator may in turn
monitor mitigation performance and capacity, as the attack being
mitigated may grow in severity beyond the mitigating domain's
capabilities.
The operator of the mitigator has limited options in the event a DOTS
client-requested mitigation is being overwhelmed by the severity of
the attack. Out-of-scope business or SLAs may permit the mitigating
domain to drop the mitigation and let attack traffic flow unchecked
to the target, but this only encourages attack escalation. In the
case where the mitigating domain is the upstream service provider for
the attack target, this may mean the mitigating domain and its other
services and users continue to suffer the incidental effects of the
attack.
A recursive signaling model as shown in Figure 12 offers an
alternative. In a variation of the use case "Upstream DDoS
Mitigation by an Upstream Internet Transit Provider" described in
[DOTS-USE-CASES], a domain operating a DOTS server and mitigator also
operates a DOTS client. This DOTS client has an established DOTS
session with a DOTS server belonging to a separate administrative
domain.
With these preconditions in place, the operator of the mitigator
being overwhelmed or otherwise performing inadequately may request
mitigation for the attack target from this separate DOTS-aware
domain. Such a request recurses the originating mitigation request
to the secondary DOTS server in the hope of building a cumulative
mitigation against the attack.
example.net domain
. . . . . . . . . . . . . . . . .
. Gn .
+----+ 1 . +----+ +-----------+ .
| Cc |<--------->| Sn |~~~~~~~| Mitigator | .
+----+ . +====+ | Mn | .
. | Cn | +-----------+ .
example.com . +----+ .
client . ^ .
. . .|. . . . . . . . . . . . . .
|
2 |
|
. . .|. . . . . . . . . . . . . .
. v .
. +----+ +-----------+ .
. | So |~~~~~~~| Mitigator | .
. +----+ | Mo | .
. +-----------+ .
. .
. . . . . . . . . . . . . . . . .
example.org domain
Figure 12: Recursive Signaling
In Figure 12, client Cc signals a request for mitigation across
inter-domain DOTS session 1 to the DOTS server Sn belonging to the
example.net domain. DOTS server Sn enables mitigation on mitigator
Mn. DOTS server Sn is half of DOTS gateway Gn, being deployed
logically back to back with DOTS client Cn, which has preexisting
inter-domain DOTS session 2 with the DOTS server So belonging to the
example.org domain. At any point, DOTS server Sn MAY recurse an
ongoing mitigation request through DOTS client Cn to DOTS server So,
in the expectation that mitigator Mo will be activated to aid in the
defense of the attack target.
Recursive signaling is opaque to the DOTS client. To maximize
mitigation visibility to the DOTS client, however, the recursing
domain SHOULD provide recursed mitigation feedback in signals
reporting on mitigation status to the DOTS client. For example, the
recursing domain's DOTS server should incorporate available metrics
such as dropped packet or byte counts from the recursed domain's DOTS
server into mitigation status messages.
DOTS clients involved in recursive signaling must be able to withdraw
requests for mitigation without warning or justification per SIG-006
in [RFC8612].
Operators recursing mitigation requests MAY maintain the recursed
mitigation for a brief protocol-defined period in the event the DOTS
client originating the mitigation withdraws its request for help, as
per the discussion of managing mitigation toggling in SIG-006 of
[RFC8612].
Deployment of recursive signaling may result in traffic redirection,
examination, and mitigation extending beyond the initial bilateral
relationship between DOTS client and DOTS server. As such, client
control over the network path of mitigated traffic may be reduced.
DOTS client operators should be aware of any privacy concerns and
work with DOTS server operators employing recursive signaling to
ensure shared sensitive material is suitably protected. Typically,
there is a contractual SLA negotiated among the DOTS client domain,
the recursed domain, and the recursing domain to meet the privacy
requirements of the DOTS client domain and authorization for the
recursing domain to request mitigation for the resources controlled
by the DOTS client domain.
3.2.4. Anycast Signaling
The DOTS architecture does not assume the availability of anycast
within a DOTS deployment, but neither does the architecture exclude
it. Domains operating DOTS servers MAY deploy DOTS servers with an
anycast Service Address as described in BCP 126 [RFC4786]. In such a
deployment, DOTS clients connecting to the DOTS Service Address may
be communicating with distinct DOTS servers, depending on the network
configuration at the time the DOTS clients connect. Among other
benefits, anycast signaling potentially offers the following:
* Simplified DOTS client configuration, including service discovery
through the methods described in [RFC7094]. In this scenario, the
"instance discovery" message would be a DOTS client initiating a
DOTS session to the DOTS server anycast Service Address, to which
the DOTS server would reply with a redirection to the DOTS server
unicast address the client should use for DOTS.
* Region- or customer-specific deployments, in which the DOTS
Service Addresses route to distinct DOTS servers depending on the
client region or the customer network in which a DOTS client
resides.
* Operational resiliency, spreading DOTS signaling traffic across
the DOTS server domain's networks, and thereby also reducing the
potential attack surface, as described in BCP 126 [RFC4786].
3.2.4.1. Anycast Signaling Considerations
As long as network configuration remains stable, anycast DOTS
signaling is to the individual DOTS client indistinct from direct
signaling. However, the operational challenges inherent in anycast
signaling are anything but negligible, and DOTS server operators must
carefully weigh the risks against the benefits before deploying.
While the DOTS signal channel primarily operates over UDP per SIG-001
in [RFC8612], the signal channel also requires mutual authentication
between DOTS agents, with associated security state on both ends.
Network instability is of particular concern with anycast signaling,
as DOTS signal channels are expected to be long lived and potentially
operating under congested network conditions caused by a volumetric
DDoS attack.
For example, a network configuration altering the route to the DOTS
server during active anycast signaling may cause the DOTS client to
send messages to a DOTS server other than the one with which it
initially established a signaling session. That second DOTS server
might not have the security state of the existing session, forcing
the DOTS client to initialize a new DOTS session. This challenge
might in part be mitigated by use of resumption via a pre-shared key
(PSK) in TLS 1.3 [RFC8446] and DTLS 1.3 [DTLS-PROTOCOL] (session
resumption in TLS 1.2 [RFC5246] and DTLS 1.2 [RFC6347]), but keying
material must then be available to all DOTS servers sharing the
anycast Service Address, which has operational challenges of its own.
While the DOTS client will try to establish a new DOTS session with
the DOTS server now acting as the anycast DOTS Service Address, the
link between DOTS client and server may be congested with attack
traffic, making signal session establishment difficult. In such a
scenario, anycast Service Address instability becomes a sort of
signal session flapping, with obvious negative consequences for the
DOTS deployment.
Anycast signaling deployments similarly must also take into account
active mitigations. Active mitigations initiated through a DOTS
session may involve diverting traffic to a scrubbing center. If the
DOTS session flaps due to anycast changes as described above,
mitigation may also flap as the DOTS servers sharing the anycast DOTS
service address toggles mitigation on detecting DOTS session loss,
depending on whether or not the client has configured mitigation on
loss of signal (Section 3.3.3).
3.2.5. Signaling Considerations for Network Address Translation
Network address translators (NATs) are expected to be a common
feature of DOTS deployments. The middlebox traversal guidelines in
[RFC8085] include general NAT considerations that are applicable to
DOTS deployments when the signal channel is established over UDP.
Additional DOTS-specific considerations arise when NATs are part of
the DOTS architecture. For example, DDoS attack detection behind a
NAT will detect attacks against internal addresses. A DOTS client
subsequently asked to request mitigation for the attacked scope of
addresses cannot reasonably perform the task, due to the lack of
externally routable addresses in the mitigation scope.
The following considerations do not cover all possible scenarios but
are meant rather to highlight anticipated common issues when
signaling through NATs.
3.2.5.1. Direct Provisioning of Internal-to-External Address Mappings
Operators may circumvent the problem of translating internal
addresses or prefixes to externally routable mitigation scopes by
directly provisioning the mappings of external addresses to internal
protected resources on the DOTS client. When the operator requests
mitigation scoped for internal addresses, directly or through
automated means, the DOTS client looks up the matching external
addresses or prefixes and issues a mitigation request scoped to that
externally routable information.
When directly provisioning the address mappings, operators must
ensure the mappings remain up to date or they risk losing the ability
to request accurate mitigation scopes. To that aim, the DOTS client
can rely on mechanisms such as [RFC8512] or [RFC7658] to retrieve
static explicit mappings. This document does not prescribe the
method by which mappings are maintained once they are provisioned on
the DOTS client.
3.2.5.2. Resolving Public Mitigation Scope with Port Control Protocol
(PCP)
Port Control Protocol (PCP) [RFC6887] may be used to retrieve the
external addresses/prefixes and/or port numbers if the NAT function
embeds a PCP server.
A DOTS client can use the information retrieved by means of PCP to
feed the DOTS protocol(s) messages that will be sent to a DOTS
server. These messages will convey the external addresses/prefixes
as set by the NAT.
PCP also enables discovery and configuration of the lifetime of port
mappings instantiated in intermediate NAT devices. Discovery of port
mapping lifetimes can reduce the dependency on heartbeat messages to
maintain mappings and, therefore, reduce the load on DOTS servers and
the network.
3.2.5.3. Resolving Public Mitigation Scope with Session Traversal
Utilities (STUN)
An internal resource, e.g., a web server, can discover its reflexive
transport address through a STUN Binding request/response
transaction, as described in [RFC8489]. After learning its reflexive
transport address from the STUN server, the internal resource can
export its reflexive transport address and internal transport address
to the DOTS client, thereby enabling the DOTS client to request
mitigation with the correct external scope, as depicted in Figure 13.
The mechanism for providing the DOTS client with the reflexive
transport address and internal transport address is unspecified in
this document.
In order to prevent an attacker from modifying the STUN messages in
transit, the STUN client and server must use the message-integrity
mechanism discussed in Section 9 of [RFC8489] or use STUN over DTLS
[RFC7350] or STUN over TLS. If the STUN client is behind a NAT that
performs Endpoint-Dependent Mapping [RFC5128], the internal service
cannot provide the DOTS client with the reflexive transport address
discovered using STUN. The behavior of a NAT between the STUN client
and the STUN server could be discovered using the experimental
techniques discussed in [RFC5780], but note that there is currently
no standardized way for a STUN client to reliably determine if it is
behind a NAT that performs Endpoint-Dependent Mapping.
Binding Binding
+--------+ request +---+ request +--------+
| STUN |<----------| N |<----------| STUN |
| server | | A | | client |
| |---------->| T |---------->| |
+--------+ Binding +---+ Binding +--------+
response response |
| reflexive transport address
| & internal transport address
v
+--------+
| DOTS |
| client |
+--------+
Figure 13: Resolving Mitigation Scope with STUN
3.2.5.4. Resolving Requested Mitigation Scope with DNS
DOTS supports mitigation scoped to DNS names. As discussed in
[RFC3235], using DNS names instead of IP addresses potentially avoids
the address translation problem, as long as the same domain name is
internally and externally resolvable. For example, a detected
attack's internal target address can be mapped to a DNS name through
a reverse lookup. The DNS name returned by the reverse lookup can
then be provided to the DOTS client as the external scope for
mitigation. For the reverse DNS lookup, DNS Security Extensions
(DNSSEC) [RFC4033] must be used where the authenticity of response is
critical.
3.3. Triggering Requests for Mitigation
[RFC8612] places no limitation on the circumstances in which a DOTS
client operator may request mitigation, nor does it demand
justification for any mitigation request, thereby reserving
operational control over DDoS defense for the domain requesting
mitigation. This architecture likewise does not prescribe the
network conditions and mechanisms triggering a mitigation request
from a DOTS client.
However, considering selected possible mitigation triggers from an
architectural perspective offers a model for alternative or
unanticipated triggers for DOTS deployments. In all cases, what
network conditions merit a mitigation request are at the discretion
of the DOTS client operator.
The mitigation request itself is defined by DOTS; however, the
interfaces required to trigger the mitigation request in the
following scenarios are implementation specific.
3.3.1. Manual Mitigation Request
A DOTS client operator may manually prepare a request for mitigation,
including scope and duration, and manually instruct the DOTS client
to send the mitigation request to the DOTS server. In context, a
manual request is a request directly issued by the operator without
automated decision making performed by a device interacting with the
DOTS client. Modes of manual mitigation requests include an operator
entering a command into a text interface, or directly interacting
with a graphical interface to send the request.
An operator might do this, for example, in response to notice of an
attack delivered by attack detection equipment or software, and the
alerting detector lacks interfaces or is not configured to use
available interfaces to translate the alert to a mitigation request
automatically.
In a variation of the above scenario, the operator may have
preconfigured on the DOTS client mitigation requests for various
resources in the operator's domain. When notified of an attack, the
DOTS client operator manually instructs the DOTS client to send the
relevant preconfigured mitigation request for the resources under
attack.
A further variant involves recursive signaling, as described in
Section 3.2.3. The DOTS client in this case is the second half of a
DOTS gateway (back-to-back DOTS server and client). As in the
previous scenario, the scope and duration of the mitigation request
are preexisting but, in this case, are derived from the mitigation
request received from a downstream DOTS client by the DOTS server.
Assuming the preconditions required by Section 3.2.3 are in place,
the DOTS gateway operator may at any time manually request mitigation
from an upstream DOTS server, sending a mitigation request derived
from the downstream DOTS client's request.
The motivations for a DOTS client operator to request mitigation
manually are not prescribed by this architecture but are expected to
include some of the following:
* Notice of an attack delivered via email or alternative messaging
* Notice of an attack delivered via phone call
* Notice of an attack delivered through the interface(s) of
networking monitoring software deployed in the operator's domain
* Manual monitoring of network behavior through network monitoring
software
3.3.2. Automated Conditional Mitigation Request
Unlike manual mitigation requests, which depend entirely on the DOTS
client operator's capacity to react with speed and accuracy to every
detected or detectable attack, mitigation requests triggered by
detected attack conditions reduce the operational burden on the DOTS
client operator and minimize the latency between attack detection and
the start of mitigation.
Mitigation requests are triggered in this scenario by operator-
specified network conditions. Attack detection is deployment
specific and not constrained by this architecture. Similarly, the
specifics of a condition are left to the discretion of the operator,
though common conditions meriting mitigation include the following:
* Detected attack exceeding a rate in packets per second (pps).
* Detected attack exceeding a rate in bytes per second (bps).
* Detected resource exhaustion in an attack target.
* Detected resource exhaustion in the local domain's mitigator.
* Number of open connections to an attack target.
* Number of attack sources in a given attack.
* Number of active attacks against targets in the operator's domain.
* Conditional detection developed through arbitrary statistical
analysis or deep learning techniques.
* Any combination of the above.
When automated conditional mitigation requests are enabled,
violations of any of the above conditions, or any additional
operator-defined conditions, will trigger a mitigation request from
the DOTS client to the DOTS server. The interfaces between the
application detecting the condition violation and the DOTS client are
implementation specific.
3.3.3. Automated Mitigation on Loss of Signal
To maintain a DOTS signal channel session, the DOTS client and the
DOTS server exchange regular but infrequent messages across the
signal channel. In the absence of an attack, the probability of
message loss in the signaling channel should be extremely low. Under
attack conditions, however, some signal loss may be anticipated as
attack traffic congests the link, depending on the attack type.
While [RFC8612] specifies the DOTS protocol be robust when signaling
under attack conditions, there are nevertheless scenarios in which
the DOTS signal is lost in spite of protocol best efforts. To handle
such scenarios, a DOTS operator may request one or more mitigations,
which are triggered only when the DOTS server ceases receiving DOTS
client heartbeats beyond the miss count or interval permitted by the
protocol.
The impact of mitigating due to loss of signal in either direction
must be considered carefully before enabling it. Attack traffic
congesting links is not the only reason why signal could be lost, and
as such, mitigation requests triggered by signal channel degradation
in either direction may incur unnecessary costs due to scrubbing
traffic, adversely impact network performance and operational expense
alike.
4. IANA Considerations
This document has no IANA actions.
5. Security Considerations
This section describes identified security considerations for the
DOTS architecture.
Security considerations and security requirements discussed in
[RFC8612] need to be taken into account.
DOTS is at risk from three primary attack vectors: agent
impersonation, traffic injection, and signal blocking. These vectors
may be exploited individually or in concert by an attacker to
confuse, disable, take information from, or otherwise inhibit DOTS
agents.
Any attacker with the ability to impersonate a legitimate DOTS client
or server or, indeed, inject false messages into the stream may
potentially trigger/withdraw traffic redirection, trigger/cancel
mitigation activities or subvert drop-/accept-lists. From an
architectural standpoint, operators MUST ensure conformance to the
security requirements defined in Section 2.4 of [RFC8612] to secure
data in transit. Similarly, as the received data may contain network
topology, telemetry, and threat and mitigation information that could
be considered sensitive in certain environments, it SHOULD be
protected at rest per required local policy.
DOTS agents MUST perform mutual authentication to ensure authenticity
of each other, and DOTS servers MUST verify that the requesting DOTS
client is authorized to request mitigation for specific target
resources (see Section 2.2.2).
A man-in-the-middle (MITM) attacker can intercept and drop packets,
preventing the DOTS peers from receiving some or all of the DOTS
messages; automated mitigation on loss of signal can be used as a
countermeasure but with risks discussed in Section 3.3.3.
An attacker with control of a DOTS client may negatively influence
network traffic by requesting and withdrawing requests for mitigation
for particular prefixes, leading to route or DNS flapping. DOTS
operators should carefully monitor and audit DOTS clients to detect
misbehavior and deter misuse.
Any attack targeting the availability of DOTS servers may disrupt the
ability of the system to receive and process DOTS signals resulting
in failure to fulfill a mitigation request. DOTS servers MUST be
given adequate protections in accordance with best current practices
for network and host security.
6. References
6.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements",
RFC 4033, DOI 10.17487/RFC4033, March 2005,
<https://www.rfc-editor.org/info/rfc4033>.
[RFC4786] Abley, J. and K. Lindqvist, "Operation of Anycast
Services", BCP 126, RFC 4786, DOI 10.17487/RFC4786,
December 2006, <https://www.rfc-editor.org/info/rfc4786>.
[RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and
P. Selkirk, "Port Control Protocol (PCP)", RFC 6887,
DOI 10.17487/RFC6887, April 2013,
<https://www.rfc-editor.org/info/rfc6887>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8612] Mortensen, A., Reddy, T., and R. Moskowitz, "DDoS Open
Threat Signaling (DOTS) Requirements", RFC 8612,
DOI 10.17487/RFC8612, May 2019,
<https://www.rfc-editor.org/info/rfc8612>.
6.2. Informative References
[DOTS-USE-CASES]
Dobbins, R., Migault, D., Moskowitz, R., Teague, N., Xia,
L., and K. Nishizuka, "Use cases for DDoS Open Threat
Signaling", Work in Progress, Internet-Draft, draft-ietf-
dots-use-cases-25, 5 July 2020,
<https://tools.ietf.org/html/draft-ietf-dots-use-cases-
25>.
[DTLS-PROTOCOL]
Rescorla, E., Tschofenig, H., and N. Modadugu, "The
Datagram Transport Layer Security (DTLS) Protocol Version
1.3", Work in Progress, Internet-Draft, draft-ietf-tls-
dtls13-38, 29 May 2020,
<https://tools.ietf.org/html/draft-ietf-tls-dtls13-38>.
[RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768,
DOI 10.17487/RFC0768, August 1980,
<https://www.rfc-editor.org/info/rfc768>.
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, DOI 10.17487/RFC0793, September 1981,
<https://www.rfc-editor.org/info/rfc793>.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <https://www.rfc-editor.org/info/rfc1035>.
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782,
DOI 10.17487/RFC2782, February 2000,
<https://www.rfc-editor.org/info/rfc2782>.
[RFC3235] Senie, D., "Network Address Translator (NAT)-Friendly
Application Design Guidelines", RFC 3235,
DOI 10.17487/RFC3235, January 2002,
<https://www.rfc-editor.org/info/rfc3235>.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261,
DOI 10.17487/RFC3261, June 2002,
<https://www.rfc-editor.org/info/rfc3261>.
[RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
Border Gateway Protocol 4 (BGP-4)", RFC 4271,
DOI 10.17487/RFC4271, January 2006,
<https://www.rfc-editor.org/info/rfc4271>.
[RFC4732] Handley, M., Ed., Rescorla, E., Ed., and IAB, "Internet
Denial-of-Service Considerations", RFC 4732,
DOI 10.17487/RFC4732, December 2006,
<https://www.rfc-editor.org/info/rfc4732>.
[RFC5128] Srisuresh, P., Ford, B., and D. Kegel, "State of Peer-to-
Peer (P2P) Communication across Network Address
Translators (NATs)", RFC 5128, DOI 10.17487/RFC5128, March
2008, <https://www.rfc-editor.org/info/rfc5128>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008,
<https://www.rfc-editor.org/info/rfc5246>.
[RFC5780] MacDonald, D. and B. Lowekamp, "NAT Behavior Discovery
Using Session Traversal Utilities for NAT (STUN)",
RFC 5780, DOI 10.17487/RFC5780, May 2010,
<https://www.rfc-editor.org/info/rfc5780>.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
January 2012, <https://www.rfc-editor.org/info/rfc6347>.
[RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service
Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013,
<https://www.rfc-editor.org/info/rfc6763>.
[RFC7092] Kaplan, H. and V. Pascual, "A Taxonomy of Session
Initiation Protocol (SIP) Back-to-Back User Agents",
RFC 7092, DOI 10.17487/RFC7092, December 2013,
<https://www.rfc-editor.org/info/rfc7092>.
[RFC7094] McPherson, D., Oran, D., Thaler, D., and E. Osterweil,
"Architectural Considerations of IP Anycast", RFC 7094,
DOI 10.17487/RFC7094, January 2014,
<https://www.rfc-editor.org/info/rfc7094>.
[RFC7350] Petit-Huguenin, M. and G. Salgueiro, "Datagram Transport
Layer Security (DTLS) as Transport for Session Traversal
Utilities for NAT (STUN)", RFC 7350, DOI 10.17487/RFC7350,
August 2014, <https://www.rfc-editor.org/info/rfc7350>.
[RFC7658] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor,
"Deprecation of MIB Module NAT-MIB: Managed Objects for
Network Address Translators (NATs)", RFC 7658,
DOI 10.17487/RFC7658, October 2015,
<https://www.rfc-editor.org/info/rfc7658>.
[RFC8085] Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage
Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085,
March 2017, <https://www.rfc-editor.org/info/rfc8085>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
[RFC8489] Petit-Huguenin, M., Salgueiro, G., Rosenberg, J., Wing,
D., Mahy, R., and P. Matthews, "Session Traversal
Utilities for NAT (STUN)", RFC 8489, DOI 10.17487/RFC8489,
February 2020, <https://www.rfc-editor.org/info/rfc8489>.
[RFC8512] Boucadair, M., Ed., Sivakumar, S., Jacquenet, C.,
Vinapamula, S., and Q. Wu, "A YANG Module for Network
Address Translation (NAT) and Network Prefix Translation
(NPT)", RFC 8512, DOI 10.17487/RFC8512, January 2019,
<https://www.rfc-editor.org/info/rfc8512>.
[RFC8555] Barnes, R., Hoffman-Andrews, J., McCarney, D., and J.
Kasten, "Automatic Certificate Management Environment
(ACME)", RFC 8555, DOI 10.17487/RFC8555, March 2019,
<https://www.rfc-editor.org/info/rfc8555>.
[RFC8738] Shoemaker, R.B., "Automated Certificate Management
Environment (ACME) IP Identifier Validation Extension",
RFC 8738, DOI 10.17487/RFC8738, February 2020,
<https://www.rfc-editor.org/info/rfc8738>.
[RFC8782] Reddy.K, T., Ed., Boucadair, M., Ed., Patil, P.,
Mortensen, A., and N. Teague, "Distributed Denial-of-
Service Open Threat Signaling (DOTS) Signal Channel
Specification", RFC 8782, DOI 10.17487/RFC8782, May 2020,
<https://www.rfc-editor.org/info/rfc8782>.
[RFC8783] Boucadair, M., Ed. and T. Reddy.K, Ed., "Distributed
Denial-of-Service Open Threat Signaling (DOTS) Data
Channel Specification", RFC 8783, DOI 10.17487/RFC8783,
May 2020, <https://www.rfc-editor.org/info/rfc8783>.
Acknowledgments
Thanks to Matt Richardson, Roman Danyliw, Frank Xialiang, Roland
Dobbins, Wei Pan, Kaname Nishizuka, Jon Shallow, Paul Kyzivat, Warren
Kumari, Benjamin Kaduk, and Mohamed Boucadair for their comments and
suggestions.
Special thanks to Roman Danyliw for the AD review.
Contributors
Mohamed Boucadair
Orange
mohamed.boucadair@orange.com
Cristopher Gray
Christopher_Gray3@cable.comcast.com
Authors' Addresses
Andrew Mortensen (editor)
Forcepoint
United States of America
Email: andrewmortensen@gmail.com
Tirumaleswar Reddy.K (editor)
McAfee, Inc.
Embassy Golf Link Business Park
Bangalore 560071
Karnataka
India
Email: kondtir@gmail.com
Flemming Andreasen
Cisco
United States of America
Email: fandreas@cisco.com
Nik Teague
Iron Mountain
United States of America
Email: nteague@ironmountain.co.uk
Rich Compton
Charter
Email: Rich.Compton@charter.com
|