Internet Architecture Board (IAB)                            K. Moriarty
Request for Comments: 8073                                       M. Ford
Category: Informational                                       March 2017
ISSN: 2070-1721
Internet Architecture Board (IAB)                            K. Moriarty
Request for Comments: 8073                                       M. Ford
Category: Informational                                       March 2017
ISSN: 2070-1721

Coordinating Attack Response at Internet Scale (CARIS) Workshop Report




This report documents the discussions and conclusions from the Coordinating Attack Response at Internet Scale (CARIS) workshop that took place in Berlin, Germany on 18 June 2015. The purpose of this workshop was to improve mutual awareness, understanding, and coordination among the diverse participating organizations and their representatives.


Note that this document is a report on the proceedings of the workshop. The views and positions documented in this report are those of the workshop participants and do not necessarily reflect IAB views and positions.


Status of This Memo


This document is not an Internet Standards Track specification; it is published for informational purposes.


This document is a product of the Internet Architecture Board (IAB) and represents information that the IAB has deemed valuable to provide for permanent record. It represents the consensus of the Internet Architecture Board (IAB). Documents approved for publication by the IAB are not a candidate for any level of Internet Standard; see Section 2 of RFC 7841.

本文件是互联网体系结构委员会(IAB)的产品,代表IAB认为有价值提供永久记录的信息。它代表了互联网体系结构委员会(IAB)的共识。IAB批准发布的文件不适用于任何级别的互联网标准;见RFC 7841第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at


Copyright Notice


Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2017 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents ( in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。

Table of Contents


   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Sessions and Panel Groups . . . . . . . . . . . . . . . . . .   4
     2.1.  Coordination between CSIRTs and Attack Response
           Mitigation Efforts  . . . . . . . . . . . . . . . . . . .   5
     2.2.  Scaling Response to DDoS and Botnets Effectively and
           Safely  . . . . . . . . . . . . . . . . . . . . . . . . .   8
     2.3.  DNS and RIRs: Attack Response and Mitigation  . . . . . .   9
     2.4.  Trust Privacy and Data Markings Panel . . . . . . . . . .  10
   3.  Workshop Themes . . . . . . . . . . . . . . . . . . . . . . .  11
   4.  Next Steps  . . . . . . . . . . . . . . . . . . . . . . . . .  12
     4.1.  RIR and DNS Provider Resources  . . . . . . . . . . . . .  12
     4.2.  Education and Guidance  . . . . . . . . . . . . . . . . .  12
     4.3.  Transport Options . . . . . . . . . . . . . . . . . . . .  12
     4.4.  Updated Template for Information Exchange Groups  . . . .  13
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  13
   6.  Informative References  . . . . . . . . . . . . . . . . . . .  13
   Appendix A. Workshop Attendees  . . . . . . . . . . . . . . . . .  15
   IAB Members at the Time of Approval . . . . . . . . . . . . . . .  15
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  16
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  16
   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Sessions and Panel Groups . . . . . . . . . . . . . . . . . .   4
     2.1.  Coordination between CSIRTs and Attack Response
           Mitigation Efforts  . . . . . . . . . . . . . . . . . . .   5
     2.2.  Scaling Response to DDoS and Botnets Effectively and
           Safely  . . . . . . . . . . . . . . . . . . . . . . . . .   8
     2.3.  DNS and RIRs: Attack Response and Mitigation  . . . . . .   9
     2.4.  Trust Privacy and Data Markings Panel . . . . . . . . . .  10
   3.  Workshop Themes . . . . . . . . . . . . . . . . . . . . . . .  11
   4.  Next Steps  . . . . . . . . . . . . . . . . . . . . . . . . .  12
     4.1.  RIR and DNS Provider Resources  . . . . . . . . . . . . .  12
     4.2.  Education and Guidance  . . . . . . . . . . . . . . . . .  12
     4.3.  Transport Options . . . . . . . . . . . . . . . . . . . .  12
     4.4.  Updated Template for Information Exchange Groups  . . . .  13
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  13
   6.  Informative References  . . . . . . . . . . . . . . . . . . .  13
   Appendix A. Workshop Attendees  . . . . . . . . . . . . . . . . .  15
   IAB Members at the Time of Approval . . . . . . . . . . . . . . .  15
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  16
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  16
1. Introduction
1. 介绍

The Internet Architecture Board (IAB) holds occasional workshops designed to consider long-term issues and strategies for the Internet, and to suggest future directions for the Internet architecture. This long-term planning function of the IAB is complementary to the ongoing engineering efforts performed by working groups of the Internet Engineering Task Force (IETF), under the leadership of the Internet Engineering Steering Group (IESG) and area directorates.


The Internet Architecture Board (IAB) and the Internet Society (ISOC) hosted a day-long Coordinating Attack Response at Internet Scale (CARIS) workshop on 18 June 2015 in coordination with the Forum for Incident Response and Security Teams (FIRST) Conference in Berlin. The workshop included members of the FIRST community, attack response working group representatives, network and security operators, Regional Internet Registry (RIR) representatives, researchers, vendors, and representatives from standardization communities. The key goals of the workshop were to improve mutual awareness, understanding, and coordination among the diverse participating organizations. The workshop also aimed to provide the attendees with greater awareness of existing efforts to mitigate specific types of attacks, and greater understanding of the options available to collaborate and engage with these efforts.


The day-long workshop included a mix of invited talks and panel discussion sessions with opportunities to collaborate throughout, taking full advantage of the tremendous value of having these diverse communities with common goals in one room. There were approximately 50 participants engaged in the CARIS workshop.


Attendance at the workshop was by invitation only. Prior to the workshop, existing attack-mitigation working groups were asked to complete a survey. The data gathered through this questionnaire, including how third parties can participate in or contribute to the attack-mitigation working group, was shared with all of the participants at the workshop to better enable collaboration [ISOC]. Attendees were also selected from submissions of two-page position papers that included some key insight or challenge relevant to the broader group. Paper topics included research topics related to attack mitigation or information sharing/exchange, success stories, lessons learned, and more in-depth studies on specific topics such as privacy or trust.

Attendance at the workshop was by invitation only. Prior to the workshop, existing attack-mitigation working groups were asked to complete a survey. The data gathered through this questionnaire, including how third parties can participate in or contribute to the attack-mitigation working group, was shared with all of the participants at the workshop to better enable collaboration [ISOC]. Attendees were also selected from submissions of two-page position papers that included some key insight or challenge relevant to the broader group. Paper topics included research topics related to attack mitigation or information sharing/exchange, success stories, lessons learned, and more in-depth studies on specific topics such as privacy or trust.translate error, please retry

The program committee received 25 papers and 19 template submissions. The template submissions will be maintained by the Internet Society, and as a result of the workshop, they will be amended to provide


additional value to the Computer Security Incident Response Teams (CSIRTs) and attack response communities/operators on their information exchange capabilities. The CARIS participants found the template submissions to be very useful in coordinating their future attack mitigation efforts. This initiative is a new, open for the global community, and hosted in a neutral location. All submissions are available online and are linked from the agenda [AGENDA].


The workshop talks and panels involved full participation from attendees who were required to read all the submitted materials. The panels were organized to spur conversation between specific groups to see if progress could be made towards more efficient and effective attack mitigation efforts. See [KME] for additional information on possible approaches to accomplish more effective attack response and information exchanges with methods that require fewer analysts.


The workshop was run under the Chatham House Rule to facilitate the exchange of sensitive information involved with incident response. As such, there was no recording, but minutes were taken and used to aid in the generation of this report. Comments will not be attributed to any particular attendee, nor will organizations be named in association with any discussion topics that were not made public through submission templates or papers by the submitter and organization.


2. Sessions and Panel Groups
2. 会议和小组

After an initial presentation to set the stage and elaborate the goals of the workshop, the day was divided into five sessions as follows:


1. Coordination between CSIRTs and attack-response mitigation efforts

1. CSIRT和攻击响应缓解工作之间的协调

2. Scaling response to Distributed Denial-of-Service (DDoS) and botnets effectively and safely

2. 有效、安全地扩展对分布式拒绝服务(DDoS)和僵尸网络的响应

3. Infrastructure: DNS and RIR providers and researchers

3. 基础设施:DNS和RIR提供商和研究人员

4. Trust and Privacy with the exchange of potentially sensitive information

4. 通过交换潜在敏感信息实现信任和隐私

5. Implications for Internet architecture and next steps

5. 对Internet架构和下一步的影响

The remainder of this report will provide more detail on each of these sessions.


2.1. Coordination between CSIRTs and Attack Response Mitigation Efforts
2.1. CSIRT和攻击响应缓解工作之间的协调

The first panel session on Coordination between CSIRTs and attack mitigation efforts included representatives from several organizations that submitted templates describing their organization's attack mitigation efforts. This panel was purposefully a cross section of organizations attending to see if there were new opportunities to collaborate and improve efficiency, thereby better scaling attack mitigation. The panelists described their efforts with the following questions in mind:


o What is the use case for their organization?

o 他们组织的用例是什么?

o Where are they focusing their efforts?

o 他们的努力集中在哪里?

o How can others engage with their organization?

o 其他人如何参与他们的组织?

o Who participates in their organization today?

o 今天谁参加了他们的组织?

For each of the following organizations, additional information can be found in their template submissions [ISOC].


The following summaries are to be read in the context of the workshop and not as standalone descriptions for each organization. These summaries are a result of the workshop discussions.


o ENISA is the European Network and Information Security Agency [ENISA]. While ENISA provides support for the community in the form of education, training, and collaboration on security and attack mitigation, it does not offer a service for attack response or mitigation.

o ENISA是欧洲网络和信息安全局(ENISA)。虽然ENISA以教育、培训和安全与攻击缓解合作的形式为社区提供支持,但它不提供攻击响应或缓解服务。

o The Anti-Phishing Working Group (APWG) offered examples of operator-driven exchanges focused on specific use cases that involve hundreds of participating organizations daily. The APWG operates a data clearinghouse and provides infrastructure to support meaningful data exchanges and maintains a current set of data through these interactions. More can be learned on the APWG website [APWG] in addition to their template submission.

o 反网络钓鱼工作组(APWG)提供了运营商驱动的交流示例,重点关注每天涉及数百家参与组织的特定用例。APWG运营着一个数据交换所,提供基础设施以支持有意义的数据交换,并通过这些交互维护当前的数据集。除了提交模板外,还可以在APWG网站[APWG]上了解更多信息。

o The Research and Education Networking Information Sharing and Analysis Center (Ren-ISAC) employs an interesting operational model that scales well through automation, exchanging actionable information between 500 universities and automatically implementing controls. Since many universities cannot respond to incidents in real time due to a scarcity of resources, REN-ISAC leverages a small number of analysts to accomplish the task of protecting many universities through automation. The key to the

o 研究和教育网络信息共享和分析中心(Ren ISAC)采用了一种有趣的运作模式,通过自动化可以很好地扩展,在500所大学之间交换可操作的信息,并自动实施控制。由于资源匮乏,许多大学无法对事件做出实时响应,REN-ISAC利用少数分析师完成通过自动化保护许多大学的任务。关键

success of their project is providing tools that allow organizations to make use of incident data operationally. They are currently working to develop open-source tools to track metrics more formally [REN-ISAC].


o is the Brazilian Computer Emergency Response Team (CERT) that has made impressive progress in a short amount of time. is the national focal point for incident reporting, collection, and dissemination of threat and attack trend information in Brazil. works to increase awareness and incident-handling capabilities in the country as well as assisting to establish new CSIRTs. In addition to providing training and awareness campaigns, they distribute network security honeypots and have a primary focus on network monitoring. requires active participation from third parties wishing to collaborate and exchange data with them [CERT.BR].

o CERT.br是巴西计算机应急响应团队(CERT),在短时间内取得了令人印象深刻的进展。CERT.br是巴西事故报告、收集和传播威胁和攻击趋势信息的国家联络中心。CERT.br致力于提高该国的意识和事件处理能力,并协助建立新的CSIRT。除了提供培训和宣传活动外,他们还分发网络安全蜜罐,主要关注网络监控。CERT.br要求希望与其合作和交换数据的第三方积极参与[]。

o MyCERT's mission is to address the security concerns of Malaysian Internet users and reduce the probability of successful attacks [MYCERT]. They have been operational since 1997. MyCERT is responsible for incident handling of unauthorized intrusions, identity theft, DDoS attacks, etc. MyCERT handles computer security incidents in Malaysia, provides malware research, and technical coordination. In addition to incident response and coordination activities, MyCERT members provide talks and training, as well as local and regional security exercises. MyCERT also provides incident alerts and advisories on vulnerabilities, breaches, etc.

o MyCERT的任务是解决马来西亚互联网用户的安全问题,并降低成功攻击的概率[MyCERT]。它们自1997年开始运作。MyCERT负责未经授权的入侵、身份盗窃、DDoS攻击等事件的处理。MyCERT处理马来西亚的计算机安全事件,提供恶意软件研究和技术协调。除了事故响应和协调活动外,MyCERT成员还提供会谈和培训,以及地方和区域安全演习。MyCERT还提供关于漏洞、漏洞等的事件警报和咨询。

o The CERT Coordination Center (CERT/CC) has been operational since 1998 on an international and national scale [CERTCC]. They have long been known for their software vulnerability work and the national vulnerability database in the US (Common Vulnerabilities and Exposures -- CVEs) and informing organizations of vulnerabilities. CERT/CC helps to coordinate between vendors and researchers for improved collaborations. CERT/CC provides guidance on dealing with the aftermath of incidents, risk assessment best practice, bug bounties, and other incident-related areas.

o CERT协调中心(CERT/CC)自1998年开始在国际和国家范围内运作[CERTCC]。他们长期以来以其软件漏洞工作和美国国家漏洞数据库(常见漏洞和暴露——CVEs)以及向组织通报漏洞而闻名。CERT/CC有助于供应商和研究人员之间的协调,以改进协作。CERT/CC提供关于处理事件后果、风险评估最佳实践、缺陷津贴和其他事件相关领域的指导。

Highlights from the panel discussion:


o Passive surveillance by state actors has impacted incident response activities due to the erosion of trust between communities.

o 由于社区之间的信任受到侵蚀,国家行为者的被动监视影响了事件应对活动。

o Government involvement in information exchange efforts has not been productive. Despite lots of discussion, there have not been useful outcomes.

o 政府对信息交流工作的参与没有取得成效。尽管进行了大量讨论,但并没有取得有用的结果。

o There is more interest in consuming feeds of information than sharing information.

o 比起共享信息,人们更感兴趣的是消费信息源。

o Ego has been a big issue for improving data sharing, as have reputation-related concerns when sharing or receiving data.

o Ego一直是改善数据共享的一个大问题,在共享或接收数据时与声誉相关的问题也是如此。

o There is a perception of weakness around organizations that share attack information in some regions.

o 在某些地区共享攻击信息的组织周围存在弱点。

o Sharing in isolation doesn't help, it must lead to operational return on investment.

o 单独分享没有帮助,它必须带来运营投资回报。

o Language barriers have been an issue for some national CSIRTs.

o 语言障碍一直是一些国家CSIRT的一个问题。

o Sharing too much information leads to capacity and resource issues for receiving organizations. Organizations directly receiving feeds can often misinterpret data and think they are under attack when it is not the case. Operational models are preferred where data exchanges have a direct impact on improving the efficiency of a small number of analysts to impact many.

o 共享过多信息会导致接收组织的能力和资源问题。直接接收提要的组织常常会误解数据,并认为自己受到了攻击,而事实并非如此。当数据交换对提高少数分析师的效率有直接影响,从而影响许多分析师时,最好采用运营模式。

o Privacy regulations restricting some organizations from sharing IP address information have had an impact on the effectiveness of incident data exchanges. ENISA is currently running a study on this impact (this point was raised by several attendees).

o 限制某些组织共享IP地址信息的隐私法规对事件数据交换的有效性产生了影响。ENISA目前正在进行一项关于这一影响的研究(这一点由几位与会者提出)。

o Too many efforts are using data just for blocking attacks and not for operational mitigation and elimination of vulnerabilities as part of their incident response effort. Note: Operational efforts stand out in that they do eliminate threats and update data warehouses.

o 太多的工作只是将数据用于阻止攻击,而不是将其作为事件响应工作的一部分用于操作缓解和消除漏洞。注意:运营方面的工作非常突出,因为它们确实消除了威胁并更新了数据仓库。

o Involvement of vendors is needed to better scale attack response. This is not seen as a need by all groups, but some sharing groups with an operational focus are looking for improved efficiencies to leverage a small number of analysts more productively. Analysts are a limited resource in this technical area of expertise.

o 为了更好地扩展攻击响应,需要供应商的参与。并非所有团队都需要这样做,但一些以运营为重点的共享团队正在寻求提高效率,以便更有效地利用少数分析师。分析师在这一专业技术领域是有限的资源。

o Enterprises don't want more security boxes in their networks as they don't have the resources to manage them, so involving vendors doesn't mean deploying more equipment, but improving automated controls and the elimination of threats wherever possible. False positives are still an issue, which can be problematic for some automation activities.

o 企业不希望在其网络中安装更多的安全箱,因为他们没有管理这些安全箱的资源,因此让供应商参与进来并不意味着部署更多的设备,而是尽可能改进自动化控制和消除威胁。误报仍然是一个问题,对于某些自动化活动来说可能会有问题。

2.2. Scaling Response to DDoS and Botnets Effectively and Safely
2.2. 有效、安全地扩展对DDoS和僵尸网络的响应

The first invited talk at the workshop provided an interesting history of Distributed Denial-of-Service (DDoS) attacks and the evolution of botnets as well as the methods to combat these threats. The paper by Dave Dittrich [DD1] is available to learn more of this history. This section of the report will focus on the workshop discussion in an effort to benefit from the workshop attendees' thoughts concerning how to better scale our response to these threats.

研讨会上的第一次邀请演讲提供了分布式拒绝服务(DDoS)攻击的有趣历史、僵尸网络的演变以及对抗这些威胁的方法。Dave Dittrich[DD1]的论文可用于了解这段历史的更多信息。报告的这一部分将重点讨论研讨会讨论,以期从研讨会与会者关于如何更好地扩大我们对这些威胁的反应的想法中获益。

Key points from the discussion:


o Of the attack types discussed, DDoS and botnets appear to be the furthest along in terms of efficient and effective response. Other efforts can learn from this experience. There has not been any interaction between these two attack types that may benefit from information exchange tied to remediation activities since botnets can be the source of DDoS attacks.

o 在讨论的攻击类型中,DDoS和僵尸网络似乎是最有效的响应方式。其他努力可以从这一经验中学习。由于僵尸网络可能是DDoS攻击的源头,因此这两种攻击类型之间没有任何相互作用,可能会从与补救活动相关的信息交换中获益。

o There is a disparity between short-term mitigation goals and actual eradication of DDoS and botnet threats. The question was raised: how do we normalize the same data in different ways to serve different goals? In other words, DDoS traffic is often the result of botnets, but the data is not shared between the service providers and vendors responding to DDoS threats and those actively mitigating and eradicating botnets.

o 短期缓解目标与实际消除DDoS和僵尸网络威胁之间存在差距。有人提出了一个问题:我们如何以不同的方式规范相同的数据,以服务于不同的目标?换句话说,DDoS流量通常是僵尸网络的结果,但响应DDoS威胁的服务提供商和供应商以及积极缓解和根除僵尸网络的供应商之间不共享数据。

o There are ad hoc trust groups within the operations security (OPSEC) community today. The Cybercrime Response Advisory Group (CRAG) is one example.

o 如今,运营安全(OPSEC)社区中有一些特别的信任组。网络犯罪应对咨询小组(CRAG)就是一个例子。

o Filtering and triage is an issue, but this is a solvable problem.

o 过滤和分类是一个问题,但这是一个可以解决的问题。

o The IETF DDOS Open Threat Signaling (DOTS) working group was discussed and compared to a previous effort, Real-time Inter-network defense (RID) [RFC6545]. It was stated that the two are similar, except DOTS makes use of current data formats and protocols and has the support of multiple DDoS vendors. One of the goals of DOTS is to have this solution be the "glue" between vendors to communicate shared data using standard formats and protocols developed in open-source tools.

o 讨论了IETF DDOS开放威胁信令(DOTS)工作组,并将其与之前的工作实时网络间防御(RID)[RFC6545]进行了比较。有人指出,这两种情况类似,除了DOTS使用当前的数据格式和协议,并得到多家DDoS供应商的支持。DOTS的目标之一是让这个解决方案成为供应商之间的“粘合剂”,使用开源工具开发的标准格式和协议来交流共享数据。

o The IETF Interface to Network Security Functions (I2NSF) effort was discussed to explore ways of leveraging infrastructure to combat DDoS attacks.

o 讨论了IETF网络安全功能接口(I2NSF)工作,以探索利用基础设施打击DDoS攻击的方法。

o Vendors discussed existing capabilities for DDoS mitigation, while data-sharing groups discussed their mitigation activities related to botnets (see the submissions under the heading "Panel on Scaling Attack Response for DDoS and BotNets" in the workshop agenda [AGENDA]).

o 供应商讨论了DDoS缓解的现有能力,而数据共享小组讨论了其与僵尸网络相关的缓解活动(请参阅研讨会议程[议程]中标题为“DDoS和僵尸网络扩展攻击响应小组”下的提交内容)。

o Trust and reputation of data sources is still a concern.

o 数据源的信任和信誉仍然令人担忧。

o One of the exchange groups has a goal of "automated takedowns" for botnets. However, they think they will always have a need for manual intervention.

o 其中一个交换组的目标是为僵尸网络提供“自动拆卸”。然而,他们认为他们总是需要人工干预。

o The need for multiple levels of trust seemed to be prevalent among those participating in the panel discussion. Intelligence agencies erode trust (this was also mentioned in the first panel in terms of surveillance activities from governments).

o 参加小组讨论的人普遍需要多层次的信任。情报机构侵蚀信任(第一个小组在政府的监视活动方面也提到了这一点)。

o Although trust was discussed in this panel and there are concerns, it was noted that trust is not as big a barrier for DDoS and botnet mitigation, and this is likely due to the operational experience of the participants.

o 尽管本小组讨论了信任问题,也存在一些担忧,但有人指出,对于DDoS和僵尸网络缓解来说,信任并没有那么大的障碍,这可能是由于参与者的运营经验。

2.3. DNS and RIRs: Attack Response and Mitigation
2.3. DNS和RIRs:攻击响应和缓解

This session was a shift from other sessions in the day as the panelists were infrastructure providers for those combating attacks. This session was of interest to see how attack and incident responders could better collaborate with DNS infrastructure organizations and RIRs. These groups have not interacted in the past, and it was interesting to see the collaboration opportunities since the workshop participants rely on these services to do their jobs. From the panelists' perspective, DNS and RIRs are separate worlds where they spend a lot of time trying to educate policy makers about how they work together to make the Internet work.


Key discussion points:


o The use of passive DNS in attack mitigation was described.

o 描述了被动DNS在攻击缓解中的使用。

o RIRs discussed the data they maintain and provide, including worldwide BGP update data and root DNS server data. These datasets are available to share with researchers and could be of interest to those working on attack response. The current way the data is made available does not scale, and ideas were discussed in the workshop to improve the scalability should this become a more widely used resource.

o RIRs讨论了他们维护和提供的数据,包括全球BGP更新数据和根DNS服务器数据。这些数据集可与研究人员共享,并可能对研究攻击响应的人员感兴趣。当前提供数据的方式不具有可扩展性,研讨会讨论了如何在数据成为更广泛使用的资源时提高可扩展性。

o Some of the global RIRs already actively coordinate with incident responders in their region. In some cases, they do facilitate information sharing as well as provide education and training. Data shared out by RIRs is anonymized.

o 一些全球RIR已经在其区域内积极与事件响应者协调。在某些情况下,它们确实促进了信息共享,并提供了教育和培训。RIRs共享的数据是匿名的。

o A concern was raised regarding overlapping efforts and a request was made for the IETF and ISOC to pay attention to this and help. This workshop was one step toward that in bringing together this diverse community. The participants wished to see this type of event repeated for future cross area collaboration between the diverse set of groups that often only meet within their silo.

o 有人对重叠的工作表示关注,并要求IETF和ISOC注意这一点并提供帮助。这次研讨会是将这个多样化社区聚集在一起的一个步骤。与会者希望看到这种类型的活动重复进行,以便在不同群体之间进行未来的跨领域合作,这些群体通常只在各自的筒仓内会面。

o Standards for APIs to access data consistently from RIRs and scoring methods were discussed as possible ways to scale trust. Questions were raised as to how this might be possible. One might receive unverifiable data about a network. They may be able to verify the source's identity, verify route origins, but won't be able to verify the provenance of data.

o 讨论了API一致访问RIR数据的标准和评分方法,作为衡量信任的可能方法。有人提出了如何可能做到这一点的问题。可能会收到有关网络的无法验证的数据。他们可能能够验证源的身份,验证路由来源,但无法验证数据的来源。

2.4. Trust Privacy and Data Markings Panel
2.4. 信任隐私和数据标记小组

Why don't organizations share data? The answer seems to be a mix of privacy, legal, technical/mundane, cultural, and communication issues. There are also concerns about sharing proprietary data with competitors. Having said that, most of these reasons were dismissed as bogus by the more operationally focused participants in the workshop. Lawyers need contextual education for the intersection of law and technology. Sensitive data is still an issue as one can't control what others do with data once it is shared.


Key points from the panel discussion:


o Operationally focused groups do retain/rate/re-mark confidence levels based upon the submitter's reputation.

o 以运营为重点的团队会根据提交人的声誉保留/评估/重新标记信心水平。

o The Traffic Light Protocol (TLP) [TLP] was discussed. While TLP is useful to some groups who exchange data, others find that it is not granular enough for their needs.

o 讨论了交通灯协议(TLP)[TLP]。虽然TLP对一些交换数据的团体很有用,但另一些团体发现它不够精细,不能满足他们的需要。

o In many cases, when data is shared, the user never knows, and there is no way to manage that disclosure.

o 在许多情况下,当数据被共享时,用户永远不会知道,也没有办法管理这种披露。

o Trust is personal. When sharing circles get too large, trust breaks down. The personal relationship aspect of information sharing communities was emphasized by several who are actively exchanging data. This was a very prevalent theme.

o 信任是个人的。当分享圈过大时,信任就会崩溃。一些积极交换数据的人强调了信息共享社区的人际关系方面。这是一个非常普遍的主题。

o A point of comparison was made with consumer goods, and it was observed that trademarks are a byproduct of the Industrial Revolution. The question was raised: does trust need branding?

o 有人将商标与消费品进行了比较,认为商标是工业革命的副产品。有人提出了这样一个问题:信任需要品牌吗?

o Observing participants noted that there appear to be cabals operating the groups based on the current trust notions. This was not disputed.

o 观察参与者注意到,似乎有阴谋集团根据当前的信托理念经营集团。这是无可争议的。

o Transparency is vital to maintain trust.

o 透明度对于维持信任至关重要。

o Participants working on automation have found a need to share with organizations of all sizes as well as a need to share both synchronously and asynchronously. In an automated model, they must ensure data sources are "authorized" and these efforts have encountered questions about anonymization as well as regional regulatory perspectives as they vary.

o 从事自动化工作的参与者发现,需要与各种规模的组织共享,也需要同步和异步共享。在自动化模型中,他们必须确保数据源是“授权的”,这些工作遇到了匿名化以及区域监管视角方面的问题。

o Another automation effort found that people have different upper limits for trust group scale, which is sometimes based on individualized knowledge of other participants and having a comfort level with them. Social interaction (beer) is a common thread amongst sharing partners to build trust relationships. The relationships are formed between individuals and not necessarily between organizations.

o 另一项自动化工作发现,人们对信任群体规模有不同的上限,这有时是基于其他参与者的个性化知识,并与他们有一个舒适的水平。社交互动(beer)是共享伙伴之间建立信任关系的共同线索。这种关系是在个人之间形成的,而不一定是在组织之间。

o It's rare for any single piece of information to be clearly identifiable as private or public. The temptation is to say that information isn't Personally Identifiable Information (PII). In aggregate, however, non-PII can become PII.

o 很少有任何一条信息可以清楚地识别为私人或公共信息。诱惑是说信息不是个人识别信息(PII)。然而,总的来说,非PII可以成为PII。

o There was common agreement that reputation is fundamental.

o 人们普遍认为声誉是根本。

3. Workshop Themes
3. 讲习班主题

During the course of the day, a couple of themes recurred in the discussions. Firstly, in order to better scale attack response through improvements to the efficiency and effectiveness of information exchanges:


1. Exchanging data should not be just for the purpose of creating blacklists that could be redundant efforts.

1. 交换数据不应该只是为了创建可能是多余工作的黑名单。

2. Involving service providers and vendors to better coordinate and scale response is key.

2. 让服务提供商和供应商更好地协调和扩大响应是关键。

Secondly, information security practitioners are a scarce resource:


1. Training and education was discussed to improve this gap, both to train information security professionals and others in IT on basic network and system hygiene.

1. 讨论了为改善这一差距而进行的培训和教育,以培训信息安全专业人员和其他IT人员的基本网络和系统卫生知识。

2. Leveraging resources to better scale response, using fewer resources is critical.

2. 利用资源以更好地扩展响应,使用更少的资源是至关重要的。

4. Next Steps
4. 下一步
4.1. RIR and DNS Provider Resources
4.1. RIR和DNS提供程序资源

Workshop participants expressed an interest in expanded information about the resources and assistance offered by the RIRs and DNS providers. Participants are going to define what is needed.


4.2. Education and Guidance
4.2. 教育和指导

Another recurring theme was the lack of knowledge in the community about basic security principles such as ingress and egress filtering explained in BCP 38 [RFC2827]. The CSIRTs, operators, and vendors of attack mitigation tools found this particularly frustrating. As a result, follow up activities may include determining if security guidance BCPs require updates or to determine whether there are opportunities to educate people on these basic principles already documented by the IETF.

另一个反复出现的主题是社区缺乏基本安全原则的知识,如BCP 38[RFC2827]中解释的入口和出口过滤。CSIRT、运营商和攻击缓解工具供应商发现这一点尤其令人沮丧。因此,后续活动可能包括确定安全指南BCP是否需要更新,或确定是否有机会就IETF已经记录的这些基本原则对人们进行教育。

4.3. Transport Options
4.3. 运输选择

One of the more lively discussions was the need for better transports for information exchange. Real-time Inter-network Defense (RID) [RFC6545] was published 5 years ago. While the patterns established in RID still show promise, there are updated solutions being worked on. One such solution is in the IETF DOTS working group that has an approach similar to RID with updated formats and protocols to meet the demands of today's DDoS attacks. While Trusted Automated eXchange of Indicator Information (TAXII -- another transport option) is just in transition to Organization for the Advancement of Structured Information Standards (OASIS), its base is similar to RID in its use of SOAP-like messaging, which will likely prevent it from scaling to the demands of the Internet. Vendors also cited several interoperability challenges of TAXII in workshop discussions. Alternatively, XMPP-Grid has been proposed in the IETF Security Automation and Continuous Monitoring (SACM) working group and it offers promise as the data exchange protocol for deployment at scale. Extensible Messaging and Presence Protocol (XMPP) [RFC6120] inherently meets the requirements for today's information exchanges

更活跃的讨论之一是需要更好的信息交换交通工具。实时网络间防御(RID)[RFC6545]于5年前发布。虽然在RID中建立的模式仍然显示出希望,但正在开发更新的解决方案。其中一个解决方案是IETF DOTS工作组,该工作组采用了类似于RID的方法,更新了格式和协议,以满足当今DDoS攻击的需求。虽然可信的指标信息自动交换(TAXI——另一种传输选项)正处于向结构化信息标准促进组织(OASIS)的过渡阶段,但其基础与RID在使用类似SOAP的消息传递方面类似,这可能会阻止其扩展到互联网的需求。供应商还在研讨会讨论中提到了Taxi的几个互操作性挑战。或者,IETF安全自动化和连续监控(SACM)工作组提出了XMPP网格,它有望作为大规模部署的数据交换协议。可扩展消息和状态协议(XMPP)[RFC6120]本质上满足了当今信息交换的要求

with features such as publish/subscribe, federation, and use of a control channel. XMPP-Grid is gaining traction with at least 10 vendors using it in their products and several more planning to add support [APPALA]. Review and discussion of this document would be helpful as it transitions to the Managed Incident Lightweight Exchange (MILE) working group as an outcome of the workshop. Representational State Transfer (REST) was also brought up as a needed interface because of the low barrier to use [REST]. The IETF MILE Working Group has discussed a document detailing a common RESTful interface (ROLIE) that could be used with any data format and this may also be of interest [ROLIE].

具有发布/订阅、联合和使用控制通道等功能。XMPP网格正在获得吸引力,至少有10家供应商在其产品中使用它,还有几个供应商计划增加支持[APPALA]。本文档的审查和讨论将非常有用,因为它将作为研讨会的成果过渡到托管事件轻型交换(MILE)工作组。由于使用[REST]的门槛较低,因此代表性状态转移(REST)也被作为一个必要的接口提了出来。IETF MILE工作组讨论了一份文件,该文件详细说明了可用于任何数据格式的通用RESTful接口(ROLIE),这也可能引起兴趣[ROLIE]。

4.4. Updated Template for Information Exchange Groups
4.4. 更新了信息交换组的模板

One of the submission options was for organizations actively exchanging data to submit a form describing their work to reduce computer security incidents. The CSIRTs, in particular, liked having access to this information in a neutral location like the Internet Society. However, they wanted to see amendments to the format to improve its usefulness. There was a desire to have this used by additional information exchange groups, thereby creating a living library to improve awareness about how to become a member, benefit from, or contribute to the success of the attack response and CSIRT information exchange platforms.


5. Security Considerations
5. 安全考虑

The CARIS workshop was focused on security and methods to improve the effectiveness and efficiency of attack response to enable better scaling. This report provides a summary of the workshop discussions and identifies some outcomes to improve security. As such, no additional considerations are provided in this section.


6. Informative References
6. 资料性引用

[AGENDA] "Agenda: Coordinating Attack Response at Internet Scale (CARIS) Workshop", 2015, <>.


[APPALA] Cam-Winget, N., Ed., Appala, S., and S. Pope, "XMPP Protocol Extensions for Use with IODEF", Work in Progress, draft-ietf-mile-xmpp-grid-01, October 2016.

[APPALA]Cam Winget,N.,Ed.,APPALA,S.和S.Pope,“用于IODEF的XMPP协议扩展”,正在进行的工作,草稿-ietf-mile-XMPP-grid-01,2016年10月。

[APWG] "APWG Homepage", <>.


[CERT.BR] "Brazilian National Computer Emergency Response Team Homepage", <>.


[CERTCC] "CERT Coordination Center Homepage", <>.


[DD1] Dittrich, D., "Taking Down Botnets - Background", April 2015, < 04/CARIS_2015_submission_21.pdf>.

[DD1]Dittrich,D.,“拆除僵尸网络-背景”,2015年4月< 04/CARIS\u 2015\u提交文件\u 21.pdf>。

[ENISA] "European Union Agency for Network and Information Security Homepage", <>.


[ISOC] "CARIS Workshop Template Submissions 2015", < caris-workshop-template-submissions-2015>.

[ISOC]“CARIS研讨会模板提交2015”< caris-workshop-template-submissions-2015>。

[KME] Moriarty, K., "Kathleen Moriarty Blog Series", July 2015, <>.


[MYCERT] "Malaysia Computer Emergency Response Team Homepage", <>.


[REN-ISAC] "Research and Education Networking Information Sharing and Analysis Center Homepage", <>.


[REST] Fielding, R., "Architectural Styles and the Design of Network-based Software Architectures", Ph.D. Dissertation, University of California, Irvine, 2000, < fielding_dissertation.pdf>.

[REST]Fielding,R.,“架构风格和基于网络的软件架构的设计”,博士。学位论文,加利福尼亚大学,尔湾,2000,<\u demission.pdf>。

[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827, May 2000, <>.

[RFC2827]Ferguson,P.和D.Senie,“网络入口过滤:击败利用IP源地址欺骗的拒绝服务攻击”,BCP 38,RFC 2827,DOI 10.17487/RFC2827,2000年5月<>.

[RFC6120] Saint-Andre, P., "Extensible Messaging and Presence Protocol (XMPP): Core", RFC 6120, DOI 10.17487/RFC6120, March 2011, <>.

[RFC6120]Saint Andre,P.,“可扩展消息和状态协议(XMPP):核心”,RFC 6120,DOI 10.17487/RFC6120,2011年3月<>.

[RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC 6545, DOI 10.17487/RFC6545, April 2012, <>.

[RFC6545]Moriarty,K.,“实时网络间防御(RID)”,RFC 6545,DOI 10.17487/RFC65452012年4月<>.

[ROLIE] Field, J., Banghart, S., and D. Waltermire, "Resource-Oriented Lightweight Information Exchange", Work in Progress, draft-ietf-mile-rolie-06, March 2017.


[TLP] "Traffic Light Protocol (TLP) Matrix and Frequently Asked Questions", <>.


Appendix A. Workshop Attendees

In alphabetical order by first name, workshop attendees were: Adli Wahid, Alexey Melnikov, Andrew Sullivan, Arnold Sykosch, Brian Trammell, Chris Morrow, Cristine Hoepers, Dario Forte, Dave Cridland, Dave Dittrich, Eliot Lear, Foy Shiver, Frank Xialiang, Graciella Martinez, Jessica Stienberger, Jim Duncan, Joe Hildebrand, John Bond, John Graham-Cummings, John Kristoff, Kathleen Moriarty, Klaus Steding-Jessen, Linda Dunbar, Marco Obiso, Martin Stiemerling, Mat Ford, Merike Kaeo, Michael Daly, Mio Suzuki, Mirjam Kuehne, Fu TianFu, Nancy Cam-Winget, Nik Teague, Pat Cain, Roland Dobbins, Roman Danyliw, Rosella Mattioli, Sandeep Bhatt, Scott Pinkerton, Sharifah Roziah Mohd Kassim, Stuart Murdoch, Takeshi Takahashi, Ted Hardie, Tobias Gondrom, Tom Millar, Tomas Sander, Ulrich Seldeslachts, Valerie Duncan, and Wes Young.


IAB Members at the Time of Approval


The IAB members at the time this memo was approved were (in alphabetical order):


Jari Arkko Ralph Droms Ted Hardie Joe Hildebrand Russ Housley Lee Howard Erik Nordmark Robert Sparks Andrew Sullivan Dave Thaler Martin Thomson Brian Trammell Suzanne Woolf




Thanks are due to the members of the program committee (in alphabetical order) for their efforts to make the CARIS workshop possible and a productive session with cross area expertise: Matthew Ford (Internet Society, UK), Ted Hardie (Google, USA), Joe Hildebrand (Cisco, USA), Eliot Lear (Cisco, Switzerland), Kathleen M. Moriarty (EMC Corporation, USA), Andrew Sullivan (Dyn, USA), and Brian Trammell (ETH Zurich, Switzerland).

感谢项目委员会成员(按字母顺序排列)为使CARIS研讨会成为可能所做的努力以及跨领域专业知识的富有成效的会议:Matthew Ford(英国互联网协会)、Ted Hardie(美国谷歌)、Joe Hildebrand(美国思科)、Eliot Lear(瑞士思科)、Kathleen M.Moriarty(美国EMC公司)、Andrew Sullivan(美国Dyn)和Brian Trammell(瑞士苏黎世ETH)。

Thanks are also due to the CARIS workshop sponsors:


o FIRST provided a room and excellent facilities in partnership with their annual conference in Berlin.

o FIRST与他们在柏林举行的年会合作,提供了一个房间和优良的设施。

o The Internet Society hosted the social event, a boat ride through the canals of Berlin.

o 互联网协会主办了这项社交活动,即乘船穿越柏林运河。

o EMC Corporation provided lunch, snacks, and coffee throughout the day to keep the attendees going.

o EMC公司全天提供午餐、点心和咖啡,以保持与会者的活力。

Authors' Addresses


Kathleen M. Moriarty 176 South Street Hopkinton, MA United States of America

美国马萨诸塞州霍普金顿南街176号Kathleen M.Moriarty


Mat Ford Galerie Jean-Malbuisson 15 Geneva Switzerland

Mat Ford Galerie Jean Malbuisson 15瑞士日内瓦