T2TRG Syed. M. Sajjad, Ed.
Internet-Draft M. Yousaf
Intended status: Standards Track Riphah Institute of Systems Engineering
Expires: January 23, 2019 July 22, 2018

An Architecture for Collaborative Security and Proactive Defence against IoT Botnets
draft-sajjad-t2trg-colsec-00

Abstract

This document proposes an architecture for Collaborative Security and Proactive Defence against IoT Botnets. The proposed architecture is based on the violation of the Manufacturer Usage Description policy. This architecture provides a means of sharing the attacker information including its Command and Control Server information with the peers in order to not only achieve proactive defense against Internet of Things botnets but also mitigate them at its source end.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on January 23, 2019.

Copyright Notice

Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.


Table of Contents

1. Introduction

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

Distributed Denial of Service (DDoS) attacks is generally detected and mitigated at the destination end. Companies are deploying costly detection appliances to safeguard themselves from DDoS so as to continue their routine critical business processes. Destination end DDoS detection and mitigation have implementation complexities and cost overhead. It is also to be noted that destination end detection and mitigation does not detect and mitigate the source of the DDoS attack. There is a need to detect and mitigate Distributed Denial of Service (DDoS) attacks at its source end. Individual Security Systems, deployed on the premises of different organization for the detection of emerging threats, works on the attack knowledge gained in a specific locality. Moreover scalable and sophisticated techniques used by the attacker make it difficult for individual security systems to provide effective security. Slow reaction to zero-day attacks and inconspicuousness to newer emerging attacks are threats to security systems. To handle these challenges, collaborative security mechanisms are used in which each participating entity performs a specific task in order to strengthen the security of the network. Collaborative Security is a method that is categorized by five important features:

2. Motivation and Use cases

IoT Devices acting as bots go unnoticed and undetected, causing a huge loss at the destination end. There is a need to not only detect ddos at its source end but also mitigate it. This section discusses three usecases of the proposed architecture.

2.1. Usecase-01: Timely Sharing of IoT Botnets source Command and Control Server domain in order to proactively safeguard devices from its access

In the First phase, command and control server of the Internet of Things botnets scans for vulnerable devices. Timely disposing of the attacker command and control domain will alert the receiver. The receiver will block the CNC access to its deployed IoT devices.

2.2. Usecase-02: Timely sharing of Threat Intelligence data between manufacturers and Vendors

This architecture may also be used for sharing of threat intelligence data in order to protect their customers from different attacks.

2.3. Usecase-03: Timely Sharing of IoT Botnets source Command and Control Server domain with Attacker ISP for its Source Mitigation

Attacker command and control server is a domain against a public IPs or pole of public IPs. These IPs are obtained from an Internet Service Provider. If the command and control server information is shared with the attacker ISP in the bot propagation phase, the ISP will take down the malicious CNC before causing any major attack.

3. Requirements

There are Certain requirements for the sharing of attack data with the peers:

4. Limitations of Existing Techniques

There are Certain limitations of existing techniques designed for attack data sharing:

5. Terminologies

6. Architecture

We propose a block-chain and smart contract based collaborative mitigation framework. The block-chain is a distributed structure of data that is shared among the members present in the network. The smart contract is a software-based set of contract or negotiation agreed by all the parties, which is able to be executed, confirmed and reinforced automatically. The main idea of the proposed collaborative mitigation system is to send the IP addresses of the attacker and details of the attacked ports, identified by the detection system, with multiple members using smart contract and block-chain. The proposed Collaborative mitigation system is depicted in the Figure 1. In the proposed collaborative mitigation system, each participant in the smart contract has agreed to share the attack information with the member of the network. Each member has its own detection system. Upon receiving the attacker information, the member takes preventive measures through mitigator. Following are the steps of the Proposed Celebrative Mitigation.

       
      
		.........................              
    		.Manufacturer 1/Vender 1.		             
 ________	. ______   ___________  .			     
|	 |	.|	| |           | .			               
|Attacker|	.|Device| |Mud Policy | .     	          	     
|	 |------>|	| | Monitor   | .			      
|	 |	.|	| |           | .                 	           
|________| 	.|______| |___________|	.		       	       
    		....................|....			      
				    |  						
..............	 _______________    |												
.  ________  .	|		|<--|	
. |	   | .	|    Smart 	|
. |  Mud   |--->|   Contract	|
. | Policy | .	|		|<---|
. |Monitor | .	|_______________|    |
. |________| .                       |
.            .                       |
.  _______   .	.....................|......			      	        
. |	  |  .  . _______   _________|___  .			     
. |Device |  .  .|       | |		 | .	                           
. |       |  .  .|Device | | Mud Policy  | .			             
. |       |  .  .|       | |  Monitor    | .			      
. |_______|  .  .|       | |             | .			                
.Manufac-    .  .|_______| |_____________| .               	     
.turer 3     .	.                          .  			                             
.Vender 3    .	.Manufacturer 3/ Vender 3  .	                      
..............	............................                            

Figure 1

7. Security Considerations

Some of the benefits of the block-chain based smart contract collaborative mitigation mechanism are:

8. Acknowledgements

9. IANA Considerations

10. Normative References

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.

Authors' Addresses

Syed Muhammad Sajjad (editor) Riphah Institute of Systems Engineering Aga Khan Road, Sector F-5/1 Islamabad, Federal Capital 44000 Pakistan EMail: abuammarhashmi@gmail.com
Muhammad Yousaf Riphah Institute of Systems Engineering Aga Khan Road, Sector F-5/1 Islamabad, Federal Capital 44000 Pakistan EMail: Muhammad.Yousaf@riu.edu.pk