Report from the IAB workshop on Unwanted Traffic March 9-10, 2006
RFC 4948
Document Type RFC - Informational (August 2007; Errata)
Authors Lixia Zhang  , Elwyn Davies  , Loa Andersson 
Last updated 2020-01-21
Stream IAB
Formats plain text html pdf htmlized with errata bibtex
Stream IAB state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
Email authors IPR References Referenced by Nits 
Network Working Group                                       L. Andersson
Request for Comments: 4948                                      Acreo AB
Category: Informational                                        E. Davies
                                                        Folly Consulting
                                                                L. Zhang
                                                                    UCLA
                                                             August 2007

   Report from the IAB workshop on Unwanted Traffic March 9-10, 2006

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   This document reports the outcome of a workshop held by the Internet
   Architecture Board (IAB) on Unwanted Internet Traffic.  The workshop
   was held on March 9-10, 2006 at USC/ISI in Marina del Rey, CA, USA.
   The primary goal of the workshop was to foster interchange between
   the operator, standards, and research communities on the topic of
   unwanted traffic, as manifested in, for example, Distributed Denial
   of Service (DDoS) attacks, spam, and phishing, to gain understandings
   on the ultimate sources of these unwanted traffic, and to assess
   their impact and the effectiveness of existing solutions.  It was
   also a goal of the workshop to identify engineering and research
   topics that could be undertaken by the IAB, the IETF, the IRTF, and
   the network research and development community at large to develop
   effective countermeasures against the unwanted traffic.

Andersson, et al.            Informational                      [Page 1]
RFC 4948                    Unwanted Traffic                 August 2007

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  The Root of All Evils: An Underground Economy  . . . . . . . .  4
     2.1.  The Underground Economy  . . . . . . . . . . . . . . . . .  5
     2.2.  Our Enemy Using Our Networks, Our Tools  . . . . . . . . .  6
     2.3.  Compromised Systems Being a Major Source of Problems . . .  7
     2.4.  Lack of Meaningful Deterrence  . . . . . . . . . . . . . .  8
     2.5.  Consequences . . . . . . . . . . . . . . . . . . . . . . . 10
   3.  How Bad Is The Problem?  . . . . . . . . . . . . . . . . . . . 10
     3.1.  Backbone Providers . . . . . . . . . . . . . . . . . . . . 10
       3.1.1.  DDoS Traffic . . . . . . . . . . . . . . . . . . . . . 10
       3.1.2.  Problem Mitigation . . . . . . . . . . . . . . . . . . 11
     3.2.  Access Providers . . . . . . . . . . . . . . . . . . . . . 12
     3.3.  Enterprise Networks: Perspective from a Large
           Enterprise . . . . . . . . . . . . . . . . . . . . . . . . 13
     3.4.  Domain Name Services . . . . . . . . . . . . . . . . . . . 14
   4.  Current Vulnerabilities and Existing Solutions . . . . . . . . 15
     4.1.  Internet Vulnerabilities . . . . . . . . . . . . . . . . . 15
     4.2.  Existing Solutions . . . . . . . . . . . . . . . . . . . . 16
       4.2.1.  Existing Solutions for Backbone Providers  . . . . . . 16
       4.2.2.  Existing Solutions for Enterprise Networks . . . . . . 17
     4.3.  Shortfalls in the Existing Network Protection  . . . . . . 18
       4.3.1.  Inadequate Tools . . . . . . . . . . . . . . . . . . . 18
       4.3.2.  Inadequate Deployments . . . . . . . . . . . . . . . . 18
       4.3.3.  Inadequate Education . . . . . . . . . . . . . . . . . 19
       4.3.4.  Is Closing Down Open Internet Access Necessary?  . . . 19
   5.  Active and Potential Solutions in the Pipeline . . . . . . . . 20
     5.1.  Central Policy Repository  . . . . . . . . . . . . . . . . 20
     5.2.  Flow Based Tools . . . . . . . . . . . . . . . . . . . . . 21
     5.3.  Internet Motion Sensor (IMS) . . . . . . . . . . . . . . . 21
     5.4.  BCP 38 . . . . . . . . . . . . . . . . . . . . . . . . . . 22
     5.5.  Layer 5 to 7 Awareness . . . . . . . . . . . . . . . . . . 22
     5.6.  How To's . . . . . . . . . . . . . . . . . . . . . . . . . 22
     5.7.  SHRED  . . . . . . . . . . . . . . . . . . . . . . . . . . 23
   6.  Research in Progress . . . . . . . . . . . . . . . . . . . . . 23
     6.1.  Ongoing Research . . . . . . . . . . . . . . . . . . . . . 23
       6.1.1.  Exploited Hosts  . . . . . . . . . . . . . . . . . . . 23
       6.1.2.  Distributed Denial of Service (DDoS) Attacks . . . . . 25
       6.1.3.  Spyware  . . . . . . . . . . . . . . . . . . . . . . . 26
       6.1.4.  Forensic Aids  . . . . . . . . . . . . . . . . . . . . 26
       6.1.5.  Measurements . . . . . . . . . . . . . . . . . . . . . 27
       6.1.6.  Traffic Analysis . . . . . . . . . . . . . . . . . . . 27
       6.1.7.  Protocol and Software Security . . . . . . . . . . . . 27
     6.2.  Research on the Internet . . . . . . . . . . . . . . . . . 27
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools