Network K. Moriarty
Internet-Draft Dell EMC Corporation
Intended status: Informational M. Ford
Expires: July 9, 2017 Internet Society
January 05, 2017

Coordinating Attack Response at Internet Scale (CARIS) Workshop Report


This report documents the discussions and conclusions from the Coordinating Attack Response at Internet Scale (CARIS) workshop that took place in Berlin, Germany on 18 June 2015. The purpose of this workshop was to improve mutual awareness, understanding, and coordination among the diverse participating organizations and their representatives.

Note that this document is a report on the proceedings of the workshop. The views and positions documented in this report are those of the workshop participants and do not necessarily reflect IAB views and positions.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on July 9, 2017.

Copyright Notice

Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents ( in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

Table of Contents

1. Introduction

The Internet Architecture Board (IAB) and the Internet Society (ISOC) hosted a day-long Coordinating Attack Response at Internet Scale (CARIS) workshop on 18 June 2015 in coordination with the Forum for Incident Response and Security Teams (FIRST) Conference in Berlin. The workshop included members of the FIRST community, attack response working group representatives, network and security operators, Regional Internet Registry (RIR) representatives, researchers, vendors, and representatives from standardisation communities. Key goals of the workshop were to improve mutual awareness, understanding, and coordination among the diverse participating organizations. The workshop also aimed to provide the attendees with greater awareness of existing efforts to mitigate specific types of attacks, and greater understanding of the options available to collaborate and engage with these efforts.

The day-long workshop included a mix of invited talks and panel discussion sessions with opportunities to collaborate throughout, taking full advantage of the tremendous value of having these diverse communities with common goals in one room. There were approximately 50 participants engaged in the CARIS workshop.

Attendance at the workshop was by invitation only. Prior to the workshop, existing attack-mitigation working groups were asked to complete a survey. The data gathered through this questionnaire, including how third parties can participate in or contribute to the attack-mitigation working group, was shared with all of the participants at the workshop to better enable collaboration [ISOC]. Attendees were also selected from submissions of 2-page position papers that included some key insight or challenge relevant to the broader group. Paper topics included research topics related to attack mitigation or information sharing/exchange, success stories, lessons learned, and more in-depth studies on specific topics such as privacy or trust.

The program committee received 25 papers and 19 template submissions. The template submissions will be maintained by the Internet Society and as a result of the workshop they will be amended to provide additional value to the computer security incident response teams (CSIRTs) and attack response communities/operators on their information exchange capabilities. The CARIS participants found the template submissions to be very useful in coordinating their future attack mitigation efforts. This is a new initiative and is open for the global community and hosted in a neutral location. All submissions are available online and linked from the agenda [AGENDA].

The workshop talks and panels involved full participation from attendees who were required to read all the submitted materials. The panels were organized to spur conversation between specific groups to see if progress could be made towards more efficient and effective attack mitigation efforts. See [KME1] and [KME2] for additional information on possible approaches to accomplish more effective attack response and information exchanges with methods that require fewer analysts.

The workshop was run under the Chatham House Rule to facilitate the exchange of sensitive information involved with incident response. As such, there was no recording, but minutes were taken and used to aid in the generation of this report. Comments will not be attributed to any particular attendee, nor will organizations be named in association with any discussion topics that were not made public through submission templates or papers by the submitter and organization.

2. Sessions and Panel Groups

After an initial presentation to set the stage and elaborate the goals of the workshop, the day was divided into five sessions as follows.

  1. Coordination between CSIRTs and attack response mitigation efforts
  2. Scaling response to DDoS and botnets effectively and safely
  3. Infrastructure: DNS and RIR providers and researchers
  4. Trust and Privacy with the exchange of potentially sensitive information
  5. Implications for Internet architecture and next steps

The remainder of this report will provide more detail on each of these sessions.

2.1. Coordination between CSIRTs and Attack Response Mitigation Efforts

The first panel session on Coordination between CSIRTs and attack mitigation efforts included representatives from several organizations that submitted templates describing their organization’s attack mitigation efforts. This panel was purposefully a cross section of organizations attending to see if there were new opportunities to collaborate and improve efficiency thereby better scaling attack mitigation. The panelists described their efforts with the following questions in mind:

For each of the following organizations, additional information can be found in their template submissions [ISOC].

The following summaries are to be read in the context of the workshop and not as stand alone descriptions for each organization. These summaries are a result of the workshop discussions.

Highlights from the panel discussion:

2.2. Scaling Response to DDoS and Botnets Effectively and Safely

The first invited talk at the workshop provided an interesting history of Distributed Denial of Service (DDoS) attacks and the evolution of botnets as well as the methods to combat these threats. The paper by Dave Dittrich [DD1] is available to learn more of this history: this section of the report will focus on the workshop discussion in an effort to benefit from the workshop attendees’ thoughts concerning how to better scale our response to these threats.

Key points from the discussion:

2.3. DNS & RIRs: Attack Response and Mitigation

This session was a shift from other sessions in the day as the panelists were infrastructure providers for those combating attacks. This session was of interest to see how attack and incident responders could better collaborate with DNS infrastructure organisations and RIRs. These groups have not interacted in the past and it was interesting to see the collaboration opportunities since the workshop participants rely on these services to do their jobs. From the panelists’ perspective, DNS and RIRs are separate worlds, where they spend a lot of time trying to educate policymakers about how they work together to make the Internet work.

Key discussion points:

2.4. Trust Privacy and Data Markings Panel

Why don’t organizations share data? It seems to be a mix of privacy, legal, technical/mundane, cultural, and communication issues. There are also concerns about sharing proprietary data with competitors. Having said that, most of these reasons were dismissed as bogus by the more operationally focused participants in the workshop. Lawyers need contextual education for the intersection of law and technology. Sensitive data is still an issue as one can’t control what others do with data once it is shared.

Key points from the panel discussion:

3. Workshop Themes

During the course of the day, a couple of themes recurred in the discussions. Firstly, in order to better scale attack response through improvements to the efficiency and effectiveness of information exchanges:

  1. Data exchanges should not be just for the purpose of creating blacklists that could be redundant efforts.
  2. Involving service providers and vendors to better coordinate and scale response is key.

Secondly, information security practitioners are a scarce resource:

  1. Training and education was discussed to improve this gap, both to train information security professionals and others in IT on basic network and system hygiene.
  2. Leveraging resources to better scale response, using fewer resources is critical.

4. Next Steps

4.1. RIR and DNS Provider Resources

Workshop participants expressed an interest in expanded information on the resources and assistance offered by the RIRs and DNS providers. Participants are going to define what is needed.

4.2. Education and Guidance

Another recurring theme was the lack of knowledge in the community of basic security principles such as ingress and egress filtering explained in BCP38 [RFC2827]. The CSIRTs, operators, and vendors of attack mitigation tools found this particularly frustrating. As a result, follow up activities may include determining if security guidance BCPs require updates or to determine whether there are opportunities to educate people on these basic principles already documented by the IETF.

4.3. Transport Options

One of the more lively discussions was the need for better transports for information exchange. Real-time Inter-network Defense (RID) [RFC6545] was written more than 10 years ago. While the patterns established in RID still show promise, there are updated solutions being worked on. One such solution is in the IETF DOTS working group, that has an approach similar to RID with updated formats and protocols to meet the demands of today’s DDoS attacks. While Trusted Automated eXchange of Indicator Information (TAXII - another transport option) is just in transition to OASIS, its base is similar to RID in its use of SOAP-like messaging, which will likely prevent it from scaling to the demands of the Internet. Vendors also cited several interoperability challenges of TAXII in workshop discussions. Alternatively, XMPP-Grid has been proposed in the IETF Security Automation and Continuous Monitoring (SACM) working group and it offers promise as the data exchange protocol for deployment at scale. XMPP [RFC6120] inherently meets the requirements for today’s information exchanges with features such as publish/subscribe, federation, and use of a control channel. XMPP-Grid is gaining traction with at least 10 vendors using it in their products and several more planning to add support [I-D.appala-mile-xmpp-grid]. Review and discussion of this draft would be helpful as it transitions to the Managed Incident Lightweight Exchange (MILE) working group as an outcome of the workshop. REST was also brought up as a needed interface because of the low barrier to use [REST]. The IETF MILE Working Group has discussed a draft detailing a common RESTful interface (ROLIE) that could be used with any data format and this may also be of interest [I-D.ietf-mile-rolie].

4.4. Updated Template for Information Exchange Groups

One of the submission options was for organizations actively exchanging data to submit a form describing their work to reduce computer security incidents. The CSIRTs, in particular, liked having access to this information in a neutral location like the Internet Society. However, they wanted to see amendments to the format to improve its usefulness. There was a desire to have this used by additional information exchange groups, thereby creating a living library to improve awareness of how to become a member, benefit from, or contribute to the success of the attack response and CSIRT information exchange platforms.

5. Security Considerations

The CARIS workshop was focused on security and methods to improve the effectiveness and efficiency of attack response to enable better scaling. This report provides a summary of the workshop discussions and identifies some outcomes to improve security. As such, no additional considerations are provided in this section.

6. Informative References

, ", ", ", ", ", ", ", ", "
[AGENDA]Agenda: Coordinating Attack Response at Internet Scale (CARIS) Workshop", 2015.
[APWG]APWG Homepage", 2015.
[CERT.BR]Brazilian National Computer Emergency Response Team Homepage", 2015.
[CERTCC]CERT Coordination Center Homepage", 2015.
[DD1] Dittrich, D., Taking Down Botnets - Background", April 2015.
[ENISA]European Union Agency for Network and Information Security Homepage", 2015.
[I-D.appala-mile-xmpp-grid] Cam-Winget, N., Appala, S. and S. Pope, "XMPP Protocol Extensions for Use with IODEF", Internet-Draft draft-appala-mile-xmpp-grid-00, October 2015.
[I-D.ietf-mile-rolie] Field, J., Banghart, S. and D. Waltermire, "Resource-Oriented Lightweight Information Exchange", Internet-Draft draft-ietf-mile-rolie-03, July 2016.
[ISOC]CARIS Workshop Template Submissions", 2015.
[KME1] Moriarty, K., "Transforming Expectations for Threat-Intelligence Sharing", August 2013.
[KME2] Moriarty, K., Kathleen Moriarty Blog Series", July 2015.
[MYCERT]Malaysia Computer Emergency Response Team Homepage", 2015.
[REN-ISAC]Research and Education Networking Information Sharing and Analysis Center Homepage", 2015.
[REST] Fielding, R., "Architectural Styles and the Design of Network-based Software Architectures", Ph.D. Dissertation, University of California, Irvine, 2000.
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827, May 2000.
[RFC6120] Saint-Andre, P., "Extensible Messaging and Presence Protocol (XMPP): Core", RFC 6120, DOI 10.17487/RFC6120, March 2011.
[RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC 6545, DOI 10.17487/RFC6545, April 2012.
[TLP]Traffic Light Protocol (TLP) Matrix and Frequently Asked Questions", 2015.

Appendix A. Acknowledgements

Thanks are due to the members of the program committee (in alphabetical order) for their efforts to make the CARIS workshop possible and a productive session with cross area expertise: Matthew Ford (Internet Society, UK), Ted Hardie (Google, USA), Joe Hildebrand (Cisco, USA), Eliot Lear (Cisco, Switzerland), Kathleen M. Moriarty (EMC Corporation, USA), Andrew Sullivan (Dyn, USA), Brian Trammell (ETH Zurich, Switzerland).

Thanks are also due to the CARIS workshop sponsors:

Appendix B. Workshop Attendees

In alphabetical order by first name, workshop attendees were: Adli Wahid, Alexey Melnikov, Andrew Sullivan, Arnold Sykosch, Brian Trammell, Chris Morrow, Cristine Hoepers, Dario Forte, Dave Cridland, Dave Dittrich, Eliot Lear, Foy Shiver, Frank Xialiang, Graciella Martinez, Jessica Stienberger, Jim Duncan, Joe Hildebrand, John Bond, John Graham-Cummings, John Kristoff, Kathleen Moriarty, Klaus Steding-Jessen, Linda Dunbar, Marco Obiso, Martin Stiemerling, Mat Ford, Merike Kaeo, Michael Daly, Mio Suzuki, Mirjam Kuehne, Mr. Fu TianFu , Nancy Cam-Winget, Nik Teague, Pat Cain, Roland Dobbins, Roman Danyliw, Rosella Mattioli, Sandeep Bhatt , Scott Pinkerton, Sharifah Roziah Mohd Kassim, Stuart Murdoch, Takeshi Takahashi, Ted Hardie, Tobias Gondrom, Tom Millar, Tomas Sander, Ulrich Seldeslachts, Valerie Duncan, Wes Young

Authors' Addresses

Kathleen M. Moriarty Dell EMC Corporation 176 South Street Hopkinton, MA, United States EMail:
Mat Ford Internet Society Galerie Jean-Malbuisson 15 Geneva, Switzerland EMail: