Resiliency of open-source firewalls against remote discovery of last-matching rules

Authors:
Khaled Salah;Karim Sattar;Zubair Baig;Mohammed Sqalli;Prasad Calyam
Affiliations:
King Fahd University of Petroleum and Engineering, Dhahran, Saudi Arabia;King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia;King Fahd University of Petroleum and Engineering, Dhahran, Saudi Arabia;King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia;The Ohio State University, Columbus, OH, USA
Venue:
Proceedings of the 2nd international conference on Security of information and networks
Year:
2009

Citing 7
Cited 2

High-speed policy-based packet forwarding using efficient multi-dimensional range matching

Proceedings of the ACM SIGCOMM '98 conference on Applications, technologies, architectures, and protocols for computer communication
Firewall Security: Policies, Testing and Performance Evaluation

COMPSAC '00 24th International Computer Software and Applications Conference
Algorithms for routing lookups and packet classification

Algorithms for routing lookups and packet classification
A Graph-based Methodology for Analyzing IP Spoofing Attack

AINA '04 Proceedings of the 18th International Conference on Advanced Information Networking and Applications - Volume 2
Quantitative Analysis on the Cacheability Factors of Web Objects

COMPSAC '06 Proceedings of the 30th Annual International Computer Software and Applications Conference - Volume 01
Denial of service via algorithmic complexity attacks

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
On the Safety and Efficiency of Firewall Policy Deployment

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy

Discovering last-matching rules in popular open-source and commercial firewalls

International Journal of Internet Protocol Technology
Acceleration of packet filtering using gpgpu

Proceedings of the 4th international conference on Security of information and networks

Quantified Score

Hi-index	0.00

Visualization

Abstract

In today's networks, firewalls act as the first line of defense against unwanted and malicious traffics. Firewalls themselves can become targets of DoS attacks, thus jeopardizing their primary operation to filter traffic. Typically, packets are checked against a firewall policy consisting (in many cases) of thousands of rules. Last-matching rules are located at the bottom of the ruleset and consume the most CPU processing power of firewalls. If these rules get discovered by an attacker, the attacker can effectively launch a low-rate DoS attack that can bring the firewall to its knees. In prior work [1], we proposed and evaluated a technique to remotely discover the last matching rules of the Linux Netfilter firewall. In this paper, we examine the effectiveness of such technique on the discovery of last-matching rules in two other popular open-source network firewalls, namely Linux IPSets and FreeBSD ipfw.