Network Security (Lecture 16)
Scribed by Frank Nothaft
Abraham Yaar et al., SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks, IEEE Security and Privacy Symposium 2004
Summary:
This paper discusses a filter that should mitigate DDoS attacks by allowing a packet flow recipient to prevent disruptive flows from impacting them. SIFF realizes this functionality by recognizing traffic as either being privileged or unprivileged, but puts the decision as to whether or not to grant traffic privileged status to the recipient. Additionally, the implementation does not require per-flow state in the router, which was a significant improvement over previous DDoS mitigation filters.
SIFF allows a node that desires to initiate a privileged flow with another node to send an EXPLORER packet in order to obtain “capability”. This packet is sent with the capability field set to 0, and the capability update flag set. Routers between the source and the destination modify the capability field of the packet with their “mark,” which is a short code comprised of a cryptographic hash of routing information, such as SA/DA, previous hop router, and next hop router.
When the EXP packet reaches the destination, the destination decides whether it would like to acknowledge this flow, and if so, sends a capability reply back, with the capability of the EXP packet. These capabilities are used by the routers to validate the flow, as each router is able to check the mark of a packet against the hash it uses to create the mark to make sure that the traffic is not coming from a spoofed IP. Privileged traffic that passes the test is allowed to continue onwards, but privileged traffic with an incorrect capability is either dropped or relegated to unprivileged status.
This paper realizes that a hash is only useful if it is difficult to guess. SIFF realizes that the best way to make guessing difficult is to have strong keys and to change the keys frequently, however this is difficult with long lived flows. As a result, SIFF builds in the ability for a router to change capabilities over the course of a flow without terminating the flow.
Discussion:
Discussion stemmed around security as an academic discipline, and the various types of attacks that are possible to be engineered. Discussion also stemmed around the concept of capability based security, and the topics of the paper.
As an academic discipline, security exists both in the cryptology world and in the systems world. The cryptology is a much more formal and principled discipline, whereas the systems discipline is much more ad hoc, and has a higher degree of freedom. Papers in the systems domain (such as SIFF) are frequently published due to simply being interesting.
As for attacks, there exist four major categories of Denial of Service (DoS) attacks. These categories range from forced malfunction attacks such as the Winnuke (send bad OOB to port 139) and LAND (send TCP request with SA = DA, causing computer to send packets to itself ad infinetum) attacks, to protocol attacks (attacks that take advantage of legitimate protocol functionality) such as ICMP attacks on TCP, synchronized congestion attacks (which can cause 95% degradation with a small amount of traffic), and guessing TCP sequence numbers and using these to reset a connection, to attacks on rebinding, and finally resource exhaustion attacks such as uplink bandwidth exhaustion (continuously launch requests for a file from a server, works due to general asymmetry of bandwidth), SYN flooding (exhausts memory by requiring computer to store copies of many packets), and downlink flooding (attacker generates enough traffic to saturate downlink bandwidth). DoS attacks are frequently difficult to combat, as it is difficult to determine the intent of an attacker (frequent requests for information could be legitimate) and the granularity of IP makes it difficult to determine if all traffic in an attack comes from one source or multiple sources.
Capability based security started to rise to prominence around 2004-05, and SIFF was one of the first major papers to get published. SIFF was actually rejected from many conferences at first, and was modified to cater to review committees (long, prominent related work section and somewhat unrelated section added at behest of angel).
SIFF has some problems. Specifically, a fixed length field cannot be used, as path length is not a fixed quantity, and could be (in theory) infinitely long. This can be overcome by only using the first n-hops or by increasing the complexity of the hardware that handles SIFF. Additionally, there is no way for capabilities to be revoked once they have been allowed, which would require inter-ISP collaboration.
Critique:
I think this is an interesting approach, but I think that there are several problems inherent in the design. Similar to now, how DDoS can be conducted with a SYN flood, SIFF opens up the new avenue of EXP flooding, but this is not entirely unsurprising, as it would be very difficult to come up with a one-stop approach for preventing all DDoS.
I must admit though, I think that SIFF is really ingenious, as they solve the problem of DDoS mitigation without requiring per-flow state in routers, and they solve it in a manner that is not really hackable. Even if a nefarious being hopes to get privileged access to a target by snooping in on another flow and looking at their capabilities, this will only work if he sits along the same path to the destination as the source in the aforementioned flow that is being snooped on.
I do have some reservations about SIFF though, as I don’t think it’s really scalable. Beyond the limited amount of keys (with each key being 2-4 bits), there is logically a limit to how many hops a packet can take before it has a privilege that is too large/cumbersome to store. Additionally, it doesn’t handle rapidly changing routes well, and makes the disclaimer that routing changes rapidly under the volume of DDoS attacks, which breaks SIFF, but SIFF mitigates DDoS, therefore SIFF doesn’t break, which doesn’t seem to stand up to more thorough investigation.
