| Internet-Draft | SADA | September 2022 | 
| Cui, et al. | Expires 17 March 2023 | [Page] | 
This document proposes the SAVA-based Anti-DDoS Architecture (SADA), which can efficiently detect, mitigate, and traceback Denial-of-Service (DDoS) attacks that spoof source addresses. The SADA consists of a distributed DDoS detection mechanism based on honeynets, a multi-stage DDoS mitigation mechanism, and a suspect-based DDoS traceback mechanism. By adopting the Source Address Validation Architecture (SAVA) of SAVNET and introducing the data plane and the control plane, the SADA makes minor changes to the SAVA while providing major benefits.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 17 March 2023.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
DDoS attacks using spoofing addresses are notorious on the Internet. The attackers command a large number of zombie hosts to forge the target's address and send bogus requests, after which the servers respond with magnified datagrams to the target, resulting in an amplification DDoS attacks. Some other DDoS attacks (e.g., TCP SYN Flooding Attacks [RFC4987]) also forge source IP addresses in order to drain the target's resources. These DDoS attacks are simple to carry out but can inflict significant damage. Their attack traffic is widely dispersed and similar to normal traffic, leading challenge to detect and mitigate. Furthermore, the spoofed addresses serve as a mask for the attackers, making it difficult to traceback the attackers.¶
Some Source Address Validation (SAV) techniques have been proposed to defend against DDoS attacks. The current practice for achieving ingress filtering is uRPF [RFC3704], which includes strict uRPF and loose uRPF. Unfortunately, the strict uRPF often improperly blocks legitimate traffic under asymmetric routing, and the loose uRPF generally permits all received packets. EFP-uRPF [RFC8704] makes the uRPF more flexible about directionality, while there are mechanisms that MAY lead to improper permit or improper block problems in specific scenarios. The SAVNET Working Group [SAVNET_WG] provides SAV techniques for intra-domain and inter-domain networks to resolve the problems raised above. It has been deployed for experimental practice [RFC5210] and is promising to solve the SAV problem.¶
However, these SAV techniques are still a long way from being able to defend against DDoS attacks. First, they only discard spoofing packets at local devices, lacking coordination to detect DDoS attacks with a global view. Second, only when these SAV techniques are widely deployed will they be able to eliminate DDoS attacks using spoofing addresses, which will take a long time. Third, there are limited incentives exist to encourage Internet Service Providers (ISPs) to widely deploy SAV devices.¶
In the above context, this document offers a SAVA-based Anti-DDoS Architecture (SADA) that incorporates the following advances.¶
The SADA can provide considerable advantages for DDoS attacks by fully adopting SAVA features with only minor changes. Even with a small number of SAV routers deployed, the SADA can deliver accurate DDoS detections across a larger area. As long as the attack traffic flows through the SAV domain, the SADA is able to mitigate it. With the aggregated communication logs of suspicious hosts, the SADA can also assist in tracing back the attacker. In addition, the SADA will provide a spoofing address database and a DDoS attacks database, both of which will be available for SAV domains and other domains. The above incentives MAY induce ISPs to widely deploy SAV devices, which will, in turn, stimulate a more valuable SADA system.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
+---------------------------------------------------------------+
|                Control Plane (SAV controller)                 |
+---------------------------------------------------------------+
|  +-------------+       +-------------+       +-------------+  |
|  |  Detection  |       | Mitigation  |       |  Traceback  |  |
|  +-------------+       +-------------+       +-------------+  |
|  +--------------------+     +------------------+              |
|  | Spoofing Addresses |     |   DDoS Attack    |              |
|  | Database           |     |   Database       |     ...      |
|  +--------------------+     +------------------+              |
+---------------^-------------------------------+---------------+
                |                               |
     Northbound |                               | Southbound
     Interface  |                               | Interface
                |                               |
+---------------+-------------------------------v---------------+
|                  Data Plane (SAV routers)                     |
+---------------------------------------------------------------+
|  +-------------+    +-------------+    +-------------+        |
|  | Monitoring  |    | Measurement |    |  Filtering  |  ...   |
|  +-------------+    +-------------+    +-------------+        |
+---------------------------------------------------------------+
    Figure 1: The SAVA-based Anti-DDoS Architecture
¶
The proposed SADA is shown in Figure 1. The SADA consists of the data plane and the control plane, where the primary functions of the data plane are monitoring, measurement, and filtering, and the primary functions of the control plane are detecting the attacks, formulating defense strategies, and tracing back the attacks. The northbound interface is used to send statistics data to the control plane, and the southbound interface is used to receive defense strategies from the control plane. The two planes communicate with each other and work together to defend against DDoS attacks.¶
The data plane reflects the widely distributed SAV routers that serve as the architecture's foundation. When detecting packets using spoofed addresses, the SAV routers do not simply block them but record their statistics and behaviors, which is regarded as a honeynet. The SAV routers need periodically transmit the statistics data to the SAVA controller.¶
Based on the statistics data aggregated from the data plane, the control plane determines whether there is an ongoing DDoS attack. The judgment MAY refer to the traffic volume, the number of distinct addresses, the protocol, and the port numbers. A convincing judgment results include factors such as the ongoing traffic volume, impacted scope, duration time, and so on.¶
The control plane represents the SAV controller, which is the core of the architecture. With the detailed judgment results, the control plane then formulates mitigation strategies for multiple stages. From the spatial perspective, the attack traffic can be divided into three stages of near-source, middle, and near-target. Mitigation MAY include various filtering mechanisms on SAV routers at different stages.¶
After the mitigation strategies validating by the SAV controller, the mitigation instructions will be issued to SAV routers. The near-source SAV routers MAY directly filter the spoofed packets using the specific forged source address. The middle SAV routers MAY route the spoofed packets of specific target addresses and protocols into unreachable destinations. The near-target SAV routers MAY adopt other filtering techniques to block the malicious packets based on specific target address, protocol, and packet size. Such a multi-stage mechanism can mitigate the DDoS attack as much as possible.¶
The data plane MUST record the communication logs of the suspicious host that forged source addresses in the past. The communication logs include the spoofing packets' IP addresses, port numbers, packet amounts, intervals, frequencies, and so on. These logs will be periodically transmitted to the SAV controller for further analysis.¶
When DDoS attacks occur, zombie hosts with spoofing addresses are potentially communicating with the attackers. Analyzing the communication logs of these suspicious zombie hosts, the SAV controller is able to trace back the attacker.¶
            +-------------------------------+
+-------+   |  +-------+         +-------+  |  +-------+
| SR 1  +---+  | SC 1  +----+----+ SC 2  |  +--+ SR 3  |
+-------+   |  +-------+    |    +-------+  |  +-------+
            |               |               |
+-------+   |           +---+---+           |  +-------+
| SR 2  +---+           | SC 3  |           +--+ SR 4  |
+-------+   |           +-------+           |  +-------+
            +-------------------------------+
SR: SAV router
SC: SAV controller
      Figure 2: Connection Example of SAV Devices
¶
Figure 2 depicts a connection example of SAV devices. There are SAV routers distributed throughout the network, and they MUST communicate with the SAV controller in order to collaborate. This document suggests that each SAV router stores several records of the SAV controller for backup. Each SAV router MUST try to connect to its nearest SAV controller at all times. If the SAV router loses contact with the present controller, it MUST seek the next closest controller. Such a mechanism can assist SAV routers in maintaining connections to the best of their abilities.¶
The SAV controller appears as a single server to the external. Realizing the full functionality of the SAV controller, it MAY require much computing and storage resources. As a result, the SAV controller can be built as clustered or distributed servers, where consistency and scalability are the primary concerns. Each SAV controller can communicate with many SAV routers and perform the corresponding functions.¶
      +------------+               +------------+
      |   SAV      +---------------> SAV        |
      |   Router   <---------------+ Controller |
      +------------+               +------------+
¶
Figure 3: SAV Router and SAV Controller Establish and Keep Communications¶
Given the broad deployment of SAV routers, each configured SAV router MUST automatically establish connections with a SAV controller. They MUST maintain contact after building connections. This document suggests that an OSPF-like approach be considered. Furthermore, the SAV router MUST be able to communicate with the SAV controller during DDoS attacks, and such a mechanism MAY refer to the DOTS Working Group [DOTS_WG].¶
The data plane is primarily comprised of distributed SAV routers. SAV routers MAY be deployed in access networks, within Autonomous System (AS) domains, or at the AS domains boundary. The general features of SAV routers are the same wherever they are deployed and can be summarized as follows.¶
The control plane consists of the SAV controller that can be clustered or distributed servers. The SAV controller are responsible for detecting, mitigating, and tracing back DDoS attacks. They also provide spoofing address database and DDoS attacks database for others to reference. The following are the features of the SAV controller.¶
This document includes no request to IANA.¶