A. Yaar, A. Perrig, D. Song, SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks, IEEE Security and Privacy Symposium, 2004
Summary of Paper
SIFF provides network hosts with a defense against DDoS flooding attacks by providing them with a means of signaling to the upstream routers to drop a particular traffic flow. It does not require such prerequisites as keeping per-flow state in the routers, inter-ISP collaboration, or a deployment of an overlay infrastructure. It does require an upgrade of all network entities to support SIFF flow tagging. The network traffic is separated in to privileged and non-privileged, and in case of an attack all non-privileged traffic and suspicious privileged traffic can be dropped by signaling to routers upstream from the attacked host.
Capability exchange handshake is used to established privileged channels. Capabilities are dynamic, can be verified statelessly, and can be revoked. SIFF is transparent (but useless) to legacy clients and servers.
Summary of Discussion
- Security systems research is a mess: lots of vulnerabilities, lots of point solutions
- Denial of service comes in many flavors
- Protocol designers should consider security angle in advance
- It could be worthwhile doing static analysis on existing protocols
- Kaminsky attack and Birthday Paradox
- DDoS attacks exhaust limited resources: uplink bandwidth, memory (buffers)
- Connections can be protected with SYN cookies (spoofing protection) or by randomly dropping packets
- Combination of spoofing and amplification attacks can be very powerful
- IEEE Security Conference is not great
- Signaling in SIFF is dependent on the length of the path to the router and uplink bandwidth which may not be there in an attack
- Capabilities may not be easy to implement in hardware due to their variable length
- DDoS increases network instability, SIFF is expected to protect the network from DDoS, but network instabilities actually break SIFF
- Malicious servers can wreak havoc with network routers
Opinion/Critique
SIFF paper presents an attempt to mitigate the damage from DDoS attacks at the cost of updating all Internet servers, clients, and routers, which seems pretty drastic. Additionally their key switching protocol seems like a difficult thing to implement in a real network environment especially given path instability. Paper does have an awesome size introduction and related work section that is very helpful.
