A. Yaar, A. Perrig, D. Song, SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks, IEEE Security and Privacy Symposium, 2004
Scribed by:Nishchay Sinha
Summary:
The paper focuses on paradigms of DDOS attacks and one of its solutions.By allowing the server to let only those traffic reach to it,the SIFF is able to mitigate DDos. The basis is to create a markup list of every router en route(mark is a hash of sr/dst ip,incoming interface,last hop interface) so that when the server sends that markup capabilty list back to the sender,the sender has a ticket to send data packets using that capability.In case the capability is wrong the packet will be dropped and in case packet does not have capability it will be treated as unprivileged packet.The privileged packets(ticket is valid) will not suffer because of other unauthorized packets meant for victim.This way a dos is prevented.
Discussion:
1Security paradigm different for crypto and systems as there are no fixed set of rules/models for systems.
2.DOS:forced malfunction,rebinding attack(like arp),protocol attack(exploit),resource exhaustion.
3forced malfunction:winuke(Out of band packet to port 139),land(tcp packet with src ip set to listening device),teardrop(ip reassembly bugs) .
4.General solutions:Different layers/domains,languages etc.
5Protocol attack: ICMP attacks on tcp(src quench by guessing right sequence in long lived flow),congestion control attack(like forcing target to enter retransmission timeouts by sending same seq packet more than twice-thrice).
6syn/ack attacks:syn proxies(syn cookies),randomly dropping half opened connections with high chances of foregoing malicious connection.
7. Downlink flooding:ideally Network should take care of that.
8 DDOS:BOTS(80-100k) seen,smurf attack by amplification of response(like DNS query-response )
9.solution:push admission control from server to network and power of revoked capability.
10.flash crowds is not solved by siff.
11does not defend against teardown/land attack.
12.Hashing of capability includes src ip (address spoofing),destination ip(preventing capability maps use),incomingIP Interface(mobility attack by same Source by moving to a different location).
13Negative points: Security (siff capability length) is proportional to hop counts;Also Variable length of siff header sucks in real implementation.
14Non causality argument madee in paper about re-enforce stable path is really a low ebb of paper.
15issue:flood the capability channel(lot of exp packets)???A real drainer.
Critique:
I like the paper for the idea that the admission control can be sent to inner of a network so that a malicious traffic can be checked right at origin.Despite lot of claims which will not be solved by this paper and there are plenty of them ,I rate this paper a good one.There are some issues in the paper which can be really improved upon and is thus a harbinger for such works.
