An entropy-based countermeasure against intelligent dos attacks targeting firewalls

Authors:
F. Al-Haidari;M. Sqalli;K. Salah;J. Hamodi
Affiliations:
College ot Computer Science and Engineering, King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia;College ot Computer Science and Engineering, King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia;College ot Computer Science and Engineering, King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia;College ot Computer Science and Engineering, King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia
Venue:
POLICY'09 Proceedings of the 10th IEEE international conference on Policies for distributed systems and networks
Year:
2009

Citing 3
Cited 0

Firewall Security: Policies, Testing and Performance Evaluation

COMPSAC '00 24th International Computer Software and Applications Conference
Statistical techniques for detecting traffic anomalies through packet header data

IEEE/ACM Transactions on Networking (TON)
Conflict classification and analysis of distributed firewall policies

IEEE Journal on Selected Areas in Communications

Quantified Score

Hi-index	0.00

Visualization

Abstract

Denial of Service (DoS) attacks are very dangerous as they Consume resources at the network and transport layers. Firewalls are considered as the first line of defence in any network. An attacker may use probing to learn a firewall's policy, and then launch a DoS attack that floods the firewall with traffic targeting the rules at the bottom of this policy. In this paper, we propose a countermeasure that enables the firewall to endure the attack attempts without denying service to legitimate clients. The goal of this work is to use an entropy-based scheme to distinguish between the legitimate and attack traffic. Then, the legitimate traftic will be placed in a queue with a higher priority than the queue holding the attack traffic. The resultS show that the proposed scheme improves on the performance of the firewall under a DoS attack.