SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks
Yaar, A.
Perrig, A.
Song, D.
Carneggie Mellon Univ., Pittsburgh, PA, USA;
This paper appears in: Security and Privacy, 2004. Proceedings. 2004 IEEE Symposium on
Publication Date: 9-12 May 2004
On page(s): 130- 143
ISSN: 1081-6011
ISBN: 0-7695-2136-3
INSPEC Accession Number: 8057707
Digital Object Identifier: 10.1109/SECPRI.2004.1301320
Current Version Published: 2004-06-01
Abstract
One of the fundamental limitations of the Internet is the inability of a packet flow recipient to halt disruptive flows before they consume the recipient's network link resources. Critical infrastructures and businesses alike are vulnerable to DoS attacks or flash-crowds that can incapacitate their networks with traffic floods. Unfortunately, current mechanisms require per-flow state at routers, ISP collaboration, or the deployment of an overlay infrastructure to defend against these events. In this paper, we present SIFF, a Stateless Internet Flow Filter, which allows an end-host to selectively stop individual flows from reaching its network, without any of the common assumptions listed above. We divide all network traffic into two classes, privileged (prioritized packets subject to recipient control) and unprivileged (legacy traffic). Privileged channels are established through a capability exchange handshake. Capabilities are dynamic and verified statelessly by the routers in the network, and can be revoked by quenching update messages to an offending host. SIFF is transparent to legacy clients and servers, but only updated hosts will enjoy the benefits of it.
Index
Terms
Available to subscribers and IEEE members.
References
Available to subscribers and IEEE members.
Citing Documents
Available to subscribers and IEEE members.
Cart
