Dear OPSAWG Experts,
We have submitted a draft titled "SAV-based Anti-DDoS Architecture" (https://datatracker.ietf.org/doc/draft-cui-savnet-anti-ddos/), which focuses on enhancing security operations to defend against DDoS attacks using a SAV-D controller. The draft is motivated by the observation that spoofed IP addresses can lead to severe DDoS attacks. While Source Address Validation (SAV) schemes are an effective means of mitigating such attacks, the limited deployment of SAV devices impairs their overall performance.
In this context, we propose the SAV-D architecture to leverage information from both SAV and non-SAV devices. This approach improves detection accuracy and incentivizes broader deployment of SAV devices. Specifically, the architecture allows SAV honeypots, legacy routers, and victim defense systems to interact with the SAV-D controller, retrieving comprehensive threat intelligence to inform defense strategies. Furthermore, the SAV honeypots report malicious packet information to the SAV-D controller, enabling data analysis and the creation of global threat intelligence. The SAV-D controller can also provide comprehensive attack situation awareness, helping operators manage their networks more effectively. Our draft introduces the overall architecture of the SAV-D controller, the interaction with devices, the data transmission protocol, workflow, deployment strategies, and examples of connections.
Based on SAV-D, we have set up a small-scale experimental environment and validated the effectiveness of the framework against reflective DDoS attacks. The details can be found in the paper(SAV-D: Defending DDoS with Incremental Deployment of SAV ).
This draft offers a practical operational solution for defending against spoofed IP DDoS attacks while utilizing existing SAV devices, legacy routers, and victim defense mechanisms. We submit this to OPSAWG and look forward to your valuable feedback to improve the draft.
We have submitted a draft titled "SAV-based Anti-DDoS Architecture" (https://datatracker.ietf.org/doc/draft-cui-savnet-anti-ddos/), which focuses on enhancing security operations to defend against DDoS attacks using a SAV-D controller. The draft is motivated by the observation that spoofed IP addresses can lead to severe DDoS attacks. While Source Address Validation (SAV) schemes are an effective means of mitigating such attacks, the limited deployment of SAV devices impairs their overall performance.
In this context, we propose the SAV-D architecture to leverage information from both SAV and non-SAV devices. This approach improves detection accuracy and incentivizes broader deployment of SAV devices. Specifically, the architecture allows SAV honeypots, legacy routers, and victim defense systems to interact with the SAV-D controller, retrieving comprehensive threat intelligence to inform defense strategies. Furthermore, the SAV honeypots report malicious packet information to the SAV-D controller, enabling data analysis and the creation of global threat intelligence. The SAV-D controller can also provide comprehensive attack situation awareness, helping operators manage their networks more effectively. Our draft introduces the overall architecture of the SAV-D controller, the interaction with devices, the data transmission protocol, workflow, deployment strategies, and examples of connections.
Based on SAV-D, we have set up a small-scale experimental environment and validated the effectiveness of the framework against reflective DDoS attacks. The details can be found in the paper(SAV-D: Defending DDoS with Incremental Deployment of SAV ).
This draft offers a practical operational solution for defending against spoofed IP DDoS attacks while utilizing existing SAV devices, legacy routers, and victim defense mechanisms. We submit this to OPSAWG and look forward to your valuable feedback to improve the draft.
Best regards,
Mingzhe
_______________________________________________ OPSAWG mailing list -- opsawg@ietf.org To unsubscribe send an email to opsawg-le...@ietf.org
