DOTS INTERNET-DRAFT T. Fu Intended Status: Informational C. Zhou Expires: September 14, 2017 H. Zheng Huawei March 13, 2017 IP Flow Information Export (IPFIX) Information Elements Extension for TCP Connection Tracking draft-fu-dots-ipfix-tcp-tracking-00 Abstract This document proposes several new TCP connection related Information Elements (IEs) for the IP Flow Information Export (IPFIX) protocol. The new Information Elements can be used to export certain characteristics regarding a TCP connection. Through massive gathering of such characteristics, it can help build an image of the TCP traffics passing through a network. The image will facilitate the detection of anomaly TCP traffic, especially attacks targeting at TCP. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Copyright and License Notice T. Fu, et al. Expires September 14, 2017 [Page 1] INTERNET DRAFT IPFIX Extension for TCP Tracking March 13, 2017 Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions used in this document . . . . . . . . . . . . . . 4 2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 3. Connection Sampling and new IEs . . . . . . . . . . . . . . . 4 3.1. Use Cases for New IEs . . . . . . . . . . . . . . . . . . 4 3.1.1. Response Time Calculation . . . . . . . . . . . . . . 4 3.1.2. Symptoms of Exceptions . . . . . . . . . . . . . . . . 5 4. Application of the New IEs for Attack Detection . . . . . . . 6 4.1. Detect Slowloris Attack . . . . . . . . . . . . . . . . . 6 4.2. Detect Out-of-order Packets Attack . . . . . . . . . . . . 7 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 7.1. Normative References . . . . . . . . . . . . . . . . . . . 11 7.2. Informative References . . . . . . . . . . . . . . . . . . 11 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 T. Fu, et al. Expires September 14, 2017 [Page 2] INTERNET DRAFT IPFIX Extension for TCP Tracking March 13, 2017 1. Introduction Due to its complex stateful operations, TCP [RFC0793] is especially vulnerable to attacks. The SYN Flood attack is an example, it involves with massive malicious clients attempting to set up connections with a server, but never completing the three-way handshake process, leaving the server-side of the connections in waiting states, eventually exhausting the server resources and no new connection can be created. Attack aiming at TCP can be low and slow in traffic pattern. Sometimes it may not take down the server, but just impair the provided service. Even though a victim server is still operating, its performance can be significantly degraded. Without the insight of what is going on with the TCP traffics, this kind of situation can be very hard to detect and analyze. For a network device, such as a router, to detect anomaly TCP traffics, it has to understand the semantics of TCP operations, more specifically, it has to be able to track TCP connection states. If a router has implemented such ability, it can export characteristics information regarding the TCP connections. By this way, offline analysis can be performed over the gathered information, which will facilitate the detection of anomaly TCP traffics, such as attacks. The IP Flow Information Export (IPFIX) protocol [RFC7011], already defines a generic mechanism for flow information export. This document introduces several new Information Elements of IPFIX, that can be used to export TCP connection characteristics. The proposed Information Elements are listed in Figure 1 below. +---------------------------+------+ | Field Name | IANA | | | IPFIX| | | ID | +---------------------------+------+ |tcpHandshakeSyn2SynAckTime | TBD | |tcpHandshakeSynAck2AckTime | TBD | |tcpHandshakeSyn2AckRttTime | TBD | |tcpConnectionTrackingBits | TBD | |tcpPacketIntervalAverage | TBD | |tcpPacketIntervalVariance | TBD | |tcpOutOfOrderDeltaCount | TBD | +---------------------------+------+ Figure 1: Information Element Table The Information Elements defined in Figure 1 are supposed to be T. Fu, et al. Expires September 14, 2017 [Page 3] INTERNET DRAFT IPFIX Extension for TCP Tracking March 13, 2017 incorporated into the IANA IPFIX Information Elements registry [IPFIX-IANA]. Their definitions can be found at Section 6. 2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [RFC2119] 2.1. Terminology IPFIX-specific terminology (Information Element, Template, Template Record, Options Template Record, Template Set, Collector, Exporter, Data Record, etc.) used in this document is defined in Section 2 of [RFC7011]. As in [RFC7011], these IPFIX-specific terms have the first letter of a word capitalized. This document also makes use of the same terminology and definitions as Section 2 of [RFC5470]. o Victim The target that suffers from DDoS attack. 3. Connection Sampling and new IEs 3.1. Use Cases for New IEs In this section, several use cases are discussed to identify the requirements where new IEs are desirable for the network attacks detection. 3.1.1. Response Time Calculation For other DDoS attacks such as Http slowloris, there will be too many connections that should be kept in the victim (server), which lead to excessive resource consumption. As a result, the response time between client and server will increase greatly. Challenge Collapasar(CC) attack can also exhaust the resources of the server and generate the similar results. Thus, the following IEs are proposed as a symptom of these kinds of attacks: tcpHandshakeSyn2SynAckTime: it denotes the time difference between the time point that the Metering Process detects the SYN packet from client to server and the time point that the observer views the SYN-ACK packet from server to client. T. Fu, et al. Expires September 14, 2017 [Page 4] INTERNET DRAFT IPFIX Extension for TCP Tracking March 13, 2017 tcpHandshakeSynAck2AckTime: it denotes the time difference between the time point that the Metering Process detects the SYN-ACK packet from server to client and the time point that the observer views the ACK packet from client to server. tcpHandshakeSyn2AckRttTime: it denotes The sum of tcpHandshakeSyn2SynAckTime and tcpHandshakeSynAck2AckTime. It is the Round Trip Time (RTT) between client and server. 3.1.2. Symptoms of Exceptions In http slowloris attack the client may send packets to victim periodically which can cause the performance lost on the server. The characteristic of the attack is that there are too many connections on the victim. However, the traffic volume for these connections is small. In order to detect this attack, the first step is to get the packets that are belonging to the same connection. The second step is to find the periodicity. Thus the two indices tcpPacketIntervalAverage and tcpPacketIntervalVariance are needed. The index tcpPacketIntervalAverage denotes the average time difference between two successive packets and the index tcpPacketIntervalVariance denotes the variance of multiple time difference. Large tcpPacketIntervalAverage and small tcpPacketIntervalVariance can be a symptom of slow packet attack, since the attacker sends packets in large intervals just as to keep the connection open, and the intervals tend to differ very little in time. To degrade the performance of the victim, the malicious clients may send too many out-of-order packets, which will consume too much memory on the server. Although out-of-order packets are permit in the TCP protocol, it is possible to be leveraged to cause DDoS attack. So the index tcpOutOfOrderDeltaCount is helpful to detect this kind of exception. For observer, it maintains one counter for each TCP connection. The initial sequence number of the client is saved in the counter. The counter increases by the sequence number of the packets it sees from client to server. If the observer sees a packet with lower sequence number than the current counter value, then the packet will be considered as an out-of-order packet. In IPFIX, the index tcpControlBits is used to record the corresponding status bits in TCP header of the packets[IPFIX-IANA]. In order to detect the application attacks which can cause the protocol exception such as the wrong use of the TCP status bits before and after the TCP connection establishment, another index called tcpConnectionTrackingBits is needed. For example, when the observer sees the SYN packet from client to server, it sets 15th bit of tcpConnectionTrackingBits to 1; when it sees the SYN-ACK packet T. Fu, et al. Expires September 14, 2017 [Page 5] INTERNET DRAFT IPFIX Extension for TCP Tracking March 13, 2017 from server to client, it sets 14th bit to 1, and so on. If one endpoint sends the packet with wrong bits during the establishment of the connection, then the observer will identify the exception by the value of tcpConnectionTrackingBits. 4. Application of the New IEs for Attack Detection This section presents a number of examples to help for the easy understanding of the application of these new IEs for attack detection. 4.1. Detect Slowloris Attack The template for detecting resource exhausting application attack such as http slowloris attack should contain a subnet of IEs shown in Table 4. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 48 octets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID TBD | Field Count = 10 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| sourceIPv4Address | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| destinationIPv4Address | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| protocolIdentifier | Field Length = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| tcpHandshakeSyn2SynAckTime | Field Length = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| tcpHandshakeSynAck2AckTime | Field Length = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| tcpHandshakeSyn2SynAckTime | Field Length = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| tcpPacketIntervalAverage | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| tcpPacketIntervalVariance | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| flowStartSeconds | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| flowEndSeconds | Field Length = 4 | +- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2: Template example for detecting slowloris attack An example of the actual record is shown below in a readable form as below: T. Fu, et al. Expires September 14, 2017 [Page 6] INTERNET DRAFT IPFIX Extension for TCP Tracking March 13, 2017 {sourceIPv4Address = 192.168.0.101, destinationIPv4Address = 192.168.0.201, protocolIdentifier = 6, tcpHandshakeSyn2SynAckTime = 200, tcpHandshakeSynAck2AckTime = 10, tcpHandshakeSyn2AckRttTime = 210, tcpPacketIntervalAverage = 500, tcpPacketIntervalVariance = 1000, flowStartSeconds = 100, flowEndSeconds = 200} 4.2. Detect Out-of-order Packets Attack The template for detecting out-of-order packets attack should contain IEs shown in Table 5. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 32 octets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID TBD | Field Count = 10 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| sourceIPv4Address | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| destinationIPv4Address | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| protocolIdentifier | Field Length = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| packetDeltaCount | Field Length = 8 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| tcpOutOfOrderDeltaCount | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| flowStartSeconds | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| flowEndSeconds | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 3: Template example for detecting out-of-order attack An example of the actual record is shown below in a readable form as below: {sourceIPv4Address = 192.168.0.101, destinationIPv4Address = 192.168.0.201, protocolIdentifier = 6, packetDeltaCount =3000, tcpOutOfOrderDeltaCount = 2000, flowStartSeconds = 100, flowEndSeconds = 200} 5. Security Considerations No additional security considerations are introduced in this document. The same security considerations as for the IPFIX protocol [RFC7011] apply. 6. IANA Considerations T. Fu, et al. Expires September 14, 2017 [Page 7] INTERNET DRAFT IPFIX Extension for TCP Tracking March 13, 2017 The following information elements are requested from IANA IPFIX registry. Upon acceptation, the 'TBD' values of the ElementIds should be replaced by IANA for assigned numbers. Name: tcpHandshakeSyn2SynAckTime Description: The time difference between a SYN and its corresponding SYN-ACK when the Metering Process observes a new TCP connection is going to be set up. Abstract Data Type: dateTimeMicroseconds ElementId: TBD Status: current Units: microseconds Name: tcpHandshakeSynAck2AckTime Description: The time difference between a SYN-ACK and its corresponding ACK when the Metering Process observes a new TCP connection is going to be set up. Abstract Data Type: dateTimeMicroseconds ElementId: TBD Status: current Units: microseconds Name: tcpHandshakeSyn2AckRttTime Description: The time difference between a SYN and its corresponding ACK sent from the same endpoint when the Metering Process observes a new TCP connection is going to be set up. Conceptually tcpHandshakeSyn2AckRttTime can be thought as the sum of tcpHandshakeSyn2SynAckTime and tcpHandshakeSynAck2AckTime, but practically the values may differ. Abstract Data Type: dateTimeMicroseconds ElementId: TBD Status: current Units: microseconds Name: tcpConnectionTrackingBits Description: These bits are used by the Metering Process to track a TCP connection. A bit is set to 1 if the corresponding condition is met. A value of 0 for a bit indicates the corresponding condition was net met. T. Fu, et al. Expires September 14, 2017 [Page 8] INTERNET DRAFT IPFIX Extension for TCP Tracking March 13, 2017 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1|1|1|1|1|1|0|0|0|0|0|0|0|0|0|0| |5|4|3|2|1|0|9|8|7|6|5|4|3|2|1|0| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |S|S|A|F|A|F|A|R|T|E|END|R|R|E|V| |Y|/|C|I|C|/|C|S|M|N|REA|O|O|R|L| |N|A|K|N|K|A|K|T|R|D|SON|P|D|R|D| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Bit 15 (SYN): Set when there is no TCP connection between the endpoints and the Metering Process detects a SYN as it is used to setup a new TCP connection. The Metering Process starts to track the TCP connection. Bit 14 (S/A): Set when bit 15 has been set and the Metering Process detects a SYN-ACK in the flow, which effectively acknowledges the SYN causing bit 15 to be set. Bit 13 (ACK): Set when bit 15 and bit 14 have been set and the Metering Process detects an ACK which effectively acknowledges the SYN causing bit 14 to be set. Upon setting this bit, it means handshake of the TCP connection setup has completed. Bit 12 (FIN): Set when the Metering Process detects the first FIN for the established and tracked TCP connection. It means the TCP connection is going to be closed. Bit 11 (ACK): Set when bit 12 has been set and the Metering Process detects an ACK which effectively acknowledges the FIN causing bit 12 to be set. Bit 10 (F/A): Set when bit 12 has been set and the Metering Process detects a FIN that is from the opposite of the endpoint which sent the FIN causing bit 12 to be set. Bit 09 (ACK): Set when bit 10 has been set and the Metering Process detects an ACK that is from the same endpoint which sent the FIN causing bit 10 to be set. Bit 08 (RST): Set when the Metering Process detects any RST from either party of the tracked TCP connection. Bit 07 (TMR): Set when a flow record report is triggered by a periodic reporting timer. It means the TCP connection is still under tracking. Bit 06 (END): Set when the Metering Process has stopped tracking the TCP T. Fu, et al. Expires September 14, 2017 [Page 9] INTERNET DRAFT IPFIX Extension for TCP Tracking March 13, 2017 connection, as the connection has been closed or aborted. Bit 05 & Bit 04 (END REASON): 00: as default value or the tracked TCP connection is closed. 01: the tracked TCP connection is aborted. 10: the tracked TCP connection is inactive after a period of time. 11: reserved. Bit 03 (ROP): Set when the Metering Process detects any SYN or SYNACK, after the both endpoints have sent FIN or an RST has been detected. Bit 02 (ROD): Set when the Metering Process detects at least 50 TCP segments being exchanged, after both endpoints have sent FIN or an RST has been detected. Bit 01 (ERR): Set when the Metering Process detects any of the following abnormal signaling sequences for the TCP connection: SYN/FIN, SYN/FIN/PSH, SYN/FIN/RST, SYN/FIN/RST/PSH. Bit 00 (VLD): Set when the tracked TCP connection is closed normally. Abstract Data Type: unsigned16 Data Type Semantics: flags ElementId: TBD Status: current Name: tcpPacketIntervalAverage Description: The average time interval calculated by the Metering Process between two successive packets in the data flow of a TCP connection. Abstract Data Type: unsigned32 ElementId: TBD Status: current Name: tcpPacketIntervalVariance Description: The variance of the time intervals calculated by the Metering Process between two successive packets in the data flow of a TCP connection. Abstract Data Type: unsigned64 ElementId: TBD Status: current T. Fu, et al. Expires September 14, 2017 [Page 10] INTERNET DRAFT IPFIX Extension for TCP Tracking March 13, 2017 Name: tcpOutOfOrderDeltaCount Description: The number of out of order packets in the data flow of a TCP connection detected at the Observation Point since the previous report. Abstract Data Type: unsigned64 Data Type Semantics: deltaCounter ElementId: TBD Status: current 7. References 7.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC7011] Claise, B., Trammell, B., and P. Aitken, "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information", STD 77, RFC 7011, September 2013. [RFC5470] Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek, "Architecture for IP Flow Information Export", RFC 5470, March 2009. [RFC0793] J. Postel, "Transmission Control Protocol", STD 7, RFC 793, September 1981. 7.2. Informative References [IPFIX-IANA] IANA, "IPFIX Information Elements registry", . [RFC5474] Duffield, N., Ed., Chiou, D., Claise, B., Greenberg, A., Grossglauser, M., and J. Rexford, "A Framework for Packet Selection and Reporting", RFC 5474, March 2009. [RFC5475] Zseby, T., Molina, M., Duffield, N., Niccolini, S., and F. Raspall, "Sampling and Filtering Techniques for IP Packet Selection", RFC 5475, March 2009. [RFC5476] Claise, B., Ed., Johnson, A., and J. Quittek, "Packet Sampling (PSAMP) Protocol Specifications", RFC 5476, March 2009. T. Fu, et al. Expires September 14, 2017 [Page 11] INTERNET DRAFT IPFIX Extension for TCP Tracking March 13, 2017 [RFC5477] Dietz, T., Claise, B., Aitken, P., Dressler, F., and G. Carle, "Information Model for Packet Sampling Exports", RFC 5477, March 2009, 8. Acknowledgments The authors would like to acknowledge the following people, for their contributions on this text: DaCheng Zhang, Bo Zhang (Alex), Min Li. Authors' Addresses Tianfu Fu Huawei Q11, Huanbao Yuan, 156 Beiqing Road, Haidian District Beijing 100095 China Email: futianfu@huawei.com Chong Zhou Huawei 156 Beiqing Road, M06 Shichuang Technology Demonstration Park Haidian, Beijing 100094 China Email: mr.zhouchong@huawei.com Hui Zheng (Marvin) Huawei 101 Software Avenue, Yuhuatai District Nanjing, Jiangsu 210012 China Email: marvin.zhenghui@huawei.com T. Fu, et al. Expires September 14, 2017 [Page 12]