A potential low-rate DoS attack against network firewalls

In this paper we identify a potential Denial of Service (DoS) attack that targets the last-matching rules of the security policy of a firewall. The last-matching rules are those rules that are located at the bottom of the ruleset of a firewall's security policy, and would require the most processing time by the firewall. If these rules are discovered, an attacker can potentially launch an effective low-rate DoS attack to trigger worst-case or near worst-case processing, thereby overwhelming the firewall and bringing it to its knees. In this paper, we present a probing technique to remotely discover the last-matching rules of a firewall. We study experimentally the effectiveness of this probing technique taking into account important factors such as the firewall's motherboard architecture and load conditions at network links and hosts. In addition we examine the impact of launching a low-rate DoS attack on a firewall's performance. The performance is studied in terms of the firewall's CPU utilization and throughput, packet loss, and latency. Copyright © 2009 John Wiley & Sons, Ltd.

[1]  Michael R. Lyu,et al.  Firewall security: policies, testing and performance evaluation , 2000, Proceedings 24th Annual International Computer Software and Applications Conference. COMPSAC2000.

[2]  S. Cobb Establishing firewall policy , 1996, Southcon/96 Conference Record.

[3]  Sonia Fahmy,et al.  Analysis of vulnerabilities in Internet firewalls , 2003, Comput. Secur..

[4]  Guru M. Parulkar,et al.  Detecting and resolving packet filter conflicts , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[5]  Sebastian Zander,et al.  KUTE A high performance Kernel-based UDP traffic engine , 2005 .

[6]  Dan S. Wallach,et al.  Denial of Service via Algorithmic Complexity Attacks , 2003, USENIX Security Symposium.

[7]  Yongyuth Permpoontanalarp,et al.  A graph-based methodology for analyzing IP spoofing attack , 2004, 18th International Conference on Advanced Information Networking and Applications, 2004. AINA 2004..

[8]  Ehab Al-Shaer,et al.  FireCracker: A Framework for Inferring Firewall Policies using Smart Probing , 2007, 2007 IEEE International Conference on Network Protocols.

[9]  Zhan Zhang,et al.  Reducing the Size of Rule Set in a Firewall , 2007, 2007 IEEE International Conference on Communications.

[10]  Lin Liu,et al.  Quantitative Analysis on the Cacheability Factors of Web Objects , 2006, 30th Annual International Computer Software and Applications Conference (COMPSAC'06).

[11]  Ehab Al-Shaer,et al.  Using Online Traffic Statistical Matching for Optimizing Packet Filtering Performance , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[12]  Pankaj Gupta,et al.  Algorithms for routing lookups and packet classification , 2000 .

[13]  John Wack,et al.  Guidelines on Firewalls and Firewall Policy , 2002 .

[14]  T. V. Lakshman,et al.  High-speed policy-based packet forwarding using efficient multi-dimensional range matching , 1998, SIGCOMM '98.

[15]  James Harris,et al.  Performance analysis of the Linux firewall in a host , 2002 .

[16]  Ehab Al-Shaer,et al.  Adaptive Statistical Optimization Techniques for Firewall Packet Filtering , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[17]  Mohamed G. Gouda,et al.  Removing Redundancy from Packet Classifiers , 2004 .

[18]  Marianne Winslett,et al.  On the Safety and Efficiency of Firewall Policy Deployment , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[19]  K. Salah,et al.  A probing technique for discovering last-matching rules of a network firewall , 2008, 2008 International Conference on Innovations in Information Technology.