| Internet-Draft | Decentralized Threat Signaling Protocol | December 2025 |
| Luo | Expires 19 June 2026 | [Page] |
This document specifies the Decentralized Threat Signaling Protocol (DTSP), a mechanism for distributed edge clients to collaboratively detect, report, and mitigate network threats. The protocol defines a state machine for threat lifecycle management (T0-T3), a standardized data format for threat signaling, and security mechanisms to prevent abuse in a permissionless environment.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 19 June 2026.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The increasing sophistication of network attacks requires a collaborative defense mechanism that operates at the edge. Centralized threat intelligence systems suffer from single points of failure and latency issues. DTSP enables a decentralized network of edge clients to share threat intelligence in real-time, leveraging a blockchain-based consensus mechanism for verification.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The lifecycle of a threat in DTSP is modeled as a Finite State Machine (FSM). Each edge client maintains the state of detected threats.¶
The FSM consists of the following states:¶
IDLE: No threat detected.¶
OPTIMISTIC_BLOCK (T0): Local detection of suspicious activity. Immediate local mitigation.¶
REPORTED (T1): Threat evidence submitted to the network.¶
VERIFIED (T2): Network consensus reached. Threat confirmed.¶
GLOBAL_ENFORCE (T3): Global propagation of the threat signature.¶
EXPIRED: Threat entry validity period ended.¶
The Edge Client MUST transition to the OPTIMISTIC_BLOCK state immediately upon detection of traffic matching local heuristic rules (e.g., high-frequency connection attempts).¶
In this state, the client:¶
The Edge Client MUST transition to the REPORTED state after generating valid evidence. The client sends a ThreatSignal message to the network. To prevent front-running, the client MUST use a Commit-Reveal scheme:¶
The state transitions to VERIFIED when the network (via Smart Contract or Oracle) validates the evidence. A threat is considered verified if: Sum(Reputation(Reporters)) > Threshold.¶
Upon entering the GLOBAL_ENFORCE state, the threat signature is added to the Global Blocklist. All participating clients MUST synchronize this list and enforce blocking rules via their local kernel datapath (e.g., eBPF).¶
The ThreatSignal message is used to report a detected threat. It is serialized using JSON.¶
+-----------+-----------+-----------------------------------------+ | Field | Type | Description | +-----------+-----------+-----------------------------------------+ | version | uint8 | Protocol version (e.g., 1) | | type | uint8 | Threat type (0=DDoS, 1=Scan, 2=Malware) | | source_ip | bytes | IP address (4 or 16 bytes IPv4/IPv6) | | target_ip | bytes | Victim IP (Optional) | | timestamp | uint64 | Unix timestamp of detection (ms) | | evidence | bytes | Cryptographic proof or log snippet | | signature | bytes | Digital signature of reporting client | +-----------+-----------+-----------------------------------------+¶
| Field | Type | Description |
|---|---|---|
| packet_dump | bytes | Sample of malicious packets (pcap) |
| flow_stats | struct | Flow statistics (PPS, BPS, duration) |
| heuristics | string | ID of the heuristic rule triggered |
To prevent Sybil attacks where an adversary creates multiple identities to flood the network with false reports, DTSP utilizes a Reputation System.¶
To prevent "free-riding" (copying others' reports) or front-running:¶
This document has no IANA actions.¶