Session Table Architecture for Defending SYN Flood Attack

Stateful Inspection has become a classical technology for network firewall. Existing session table architectures of Stateful Inspection firewalls cause high time cost of timeout processing. A new architecture is proposed. The new architecture divides a session entry into two separate parts, and designs different data structures for each other. On the base of multi-queue architecture, dynamical timeouts according to available resource improve securities of protected hosts against SYN flood attack. Experimental results show that the new architecture can work well in Gigabit Ethernet network.

[1]  Andy Fox,et al.  Cisco Secure PIX Firewalls , 2001 .

[2]  Masami Shishibori,et al.  An efficient compression method for Patricia tries , 1997, 1997 IEEE International Conference on Systems, Man, and Cybernetics. Computational Cybernetics and Simulation.

[3]  Marcus Goncalves,et al.  Check Point Firewall-1 Administration Guide , 1999 .

[4]  Xin Li,et al.  A Hardware-Based PATRICIA Algorithm for Fixed-Length Match , 2005 .

[5]  Hyogon Kim,et al.  Determining embryonic connection timeout in stateful inspection , 2003, IEEE International Conference on Communications, 2003. ICC '03..