High-speed policy-based packet forwarding using efficient multi-dimensional range matching
Proceedings of the ACM SIGCOMM '98 conference on Applications, technologies, architectures, and protocols for computer communication
Firewall Security: Policies, Testing and Performance Evaluation
COMPSAC '00 24th International Computer Software and Applications Conference
Algorithms for routing lookups and packet classification
Algorithms for routing lookups and packet classification
A Graph-based Methodology for Analyzing IP Spoofing Attack
AINA '04 Proceedings of the 18th International Conference on Advanced Information Networking and Applications - Volume 2
Quantitative Analysis on the Cacheability Factors of Web Objects
COMPSAC '06 Proceedings of the 30th Annual International Computer Software and Applications Conference - Volume 01
Denial of service via algorithmic complexity attacks
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
On the Safety and Efficiency of Firewall Policy Deployment
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Discovering last-matching rules in popular open-source and commercial firewalls
International Journal of Internet Protocol Technology
Acceleration of packet filtering using gpgpu
Proceedings of the 4th international conference on Security of information and networks
Hi-index | 0.00 |
In today's networks, firewalls act as the first line of defense against unwanted and malicious traffics. Firewalls themselves can become targets of DoS attacks, thus jeopardizing their primary operation to filter traffic. Typically, packets are checked against a firewall policy consisting (in many cases) of thousands of rules. Last-matching rules are located at the bottom of the ruleset and consume the most CPU processing power of firewalls. If these rules get discovered by an attacker, the attacker can effectively launch a low-rate DoS attack that can bring the firewall to its knees. In prior work [1], we proposed and evaluated a technique to remotely discover the last matching rules of the Linux Netfilter firewall. In this paper, we examine the effectiveness of such technique on the discovery of last-matching rules in two other popular open-source network firewalls, namely Linux IPSets and FreeBSD ipfw.