An Entropy-Based Countermeasure against Intelligent DoS Attacks Targeting Firewalls

Denial of Service (DoS) attacks are very dangerous as they consume resources at the network and transport layers. Firewalls are considered as the first line of defense in any network. An attacker may use probing to learn a firewall’s policy, and then launch a DoS attack that floods the firewall with traffic targeting the rules at the bottom of this policy. In this paper, we propose a countermeasure that enables the firewall to endure the attack attempts without denying service to legitimate clients. The goal of this work is to use an entropy-based scheme to distinguish between the legitimate and attack traffic. Then, the legitimate traffic will be placed in a queue with a higher priority than the queue holding the attack traffic. The results show that the proposed scheme improves on the performance of the firewall under a DoS attack.

[1]  A. L. Narasimha Reddy,et al.  Statistical Techniques for Detecting Traffic Anomalies Through Packet Header Data , 2008, IEEE/ACM Transactions on Networking.

[2]  K. Salah,et al.  A probing technique for discovering last-matching rules of a network firewall , 2008, 2008 International Conference on Innovations in Information Technology.

[3]  Shunji Abe,et al.  Detecting DoS attacks using packet size distribution , 2007, 2007 2nd Bio-Inspired Models of Network, Information and Computing Systems.

[4]  A. L. Narasimha Reddy,et al.  Statistical techniques for detecting traffic anomalies through packet header data , 2008, TNET.

[5]  Michael R. Lyu,et al.  Firewall security: policies, testing and performance evaluation , 2000, Proceedings 24th Annual International Computer Software and Applications Conference. COMPSAC2000.

[6]  Roger M. Needham,et al.  Denial of service , 1993, CCS '93.

[7]  Ehab Al-Shaer,et al.  FireCracker: A Framework for Inferring Firewall Policies using Smart Probing , 2007, 2007 IEEE International Conference on Network Protocols.

[8]  Sonia Fahmy,et al.  Analysis of vulnerabilities in Internet firewalls , 2003, Comput. Secur..

[9]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[10]  Ehab Al-Shaer,et al.  Conflict classification and analysis of distributed firewall policies , 2005, IEEE Journal on Selected Areas in Communications.

[11]  S. Behin Sam,et al.  Network Topology Against Distributed Denial of Service Attacks , 2006 .