A Delay-Based Countermeasure Against the Discovery of Default Rules in Firewalls

Denial of service (DoS) attack is purely malicious and commonly used to overwhelm a network system making network resources unavailable to legitimate users. One such DoS attack is to target the firewall system of the enterprise, whereby the attacker sends a large number of malicious packets to the firewall making it unavailable for the legitimate users. To launch a smart and effective DoS attack, an attacker makes priori assumption about the order of the ruleset of the firewall. An effective firewall does not reveal its ruleset, policies, or information to the attacker. In this paper, we first present a process that can be used by an attacker to reconnoiter a firewall system at leisure to collect information about ruleset of a target firewall. The collected information can be used by the attacker to launch a slow-rate DoS attack against the firewall. We then propose a countermeasure technique “Delay Induced Response (DIR)” which utilizes the underlying principle of moving target defense as a cyber maneuver technique. In DIR, the network frequently changes its properties visible to the attacker in order to confuse the attacker from discovering information about the firewall policy or its ruleset. The primary objective in DIR is to delude the attacker in his efforts in discovering the order of the firewall ruleset—specifically, the last matching rule (also known as the “default rule”) in a firewall.

[1]  Scott A. DeLoach,et al.  Towards a Theory of Moving Target Defense , 2014, MTD '14.

[2]  Mohamed G. Gouda,et al.  Firewall design: consistency, completeness, and compactness , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[3]  Ben Bennetts,et al.  Fault Diagnosis of Digital Systems - a Review , 1971, Computer.

[4]  Victor Croitoru,et al.  Secure and flexible model for firewall policy management , 2010, 2010 9th International Symposium on Electronics and Telecommunications.

[5]  Ruby B. Lee,et al.  Taxonomies of Distributed Denial of Service Networks, Attacks, Tools, and Countermeasures , 2003 .

[6]  Khaled Salah,et al.  An analytical model to achieve elasticity for cloud-based firewalls , 2015, 2015 IEEE 40th Conference on Local Computer Networks (LCN).

[7]  Aikaterini Mitrokotsa,et al.  DDoS attacks and defense mechanisms: classification and state-of-the-art , 2004, Comput. Networks.

[8]  Sushil Jajodia,et al.  Moving Target Defense II , 2013, Advances in Information Security.

[9]  Ari Juels,et al.  $evwu Dfw , 1998 .

[10]  Khaled Salah,et al.  An Entropy-Based Countermeasure against Intelligent DoS Attacks Targeting Firewalls , 2009, 2009 IEEE International Symposium on Policies for Distributed Systems and Networks.

[11]  Nick McKeown,et al.  Algorithms for packet classification , 2001, IEEE Netw..

[12]  Stuart Harvey Rubin,et al.  Distributed denial of service attacks , 2000, Smc 2000 conference proceedings. 2000 ieee international conference on systems, man and cybernetics. 'cybernetics evolving to systems, humans, organizations, and their complex interactions' (cat. no.0.

[13]  Markus Jakobsson,et al.  Controlling data in the cloud: outsourcing computation without outsourcing control , 2009, CCSW '09.

[14]  Zubair A. Baig,et al.  Discovering last-matching rules in popular open-source and commercial firewalls , 2010, Int. J. Internet Protoc. Technol..

[15]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[16]  Ehab Al-Shaer,et al.  A potential low-rate DoS attack against network firewalls , 2011, Secur. Commun. Networks.

[17]  Alex X. Liu,et al.  First Step toward Cloud-Based Firewalling , 2012, 2012 IEEE 31st Symposium on Reliable Distributed Systems.

[18]  John Wack,et al.  Guidelines on Firewalls and Firewall Policy , 2002 .

[19]  Lee Garber,et al.  Denial-of-Service Attacks Rip the Internet , 2000, Computer.

[20]  Jeffrey M. Bradshaw,et al.  Command and Control Requirements for Moving-Target Defense , 2012, IEEE Intelligent Systems.

[21]  Sushil Jajodia,et al.  Moving Target Defense - Creating Asymmetric Uncertainty for Cyber Threats , 2011, Moving Target Defense.

[22]  Nei Kato,et al.  Towards trapping wily intruders in the large , 2000, Recent Advances in Intrusion Detection.

[23]  Ruby B. Lee,et al.  Remote Denial of Service Attacks and Countermeasures , 2001 .

[24]  T. Samak,et al.  Firewall Policy Reconstruction by Active Probing: An Attacker's View , 2006, 2006 2nd IEEE Workshop on Secure Network Protocols.

[25]  Shuwang Lu,et al.  DoS Evading Mechanism upon Service Hopping , 2007, 2007 IFIP International Conference on Network and Parallel Computing Workshops (NPC 2007).

[26]  Zhiguang Qin,et al.  Honeypot: a supplemented active defense system for network security , 2003, Proceedings of the Fourth International Conference on Parallel and Distributed Computing, Applications and Technologies.

[27]  C. Vidya Raj,et al.  CPU Load–Based Countermeasure Technique for Intelligent DoS Attack Targeting Firewalls , 2014 .

[28]  Cameron Hunt,et al.  Active Defense: A Comprehensive Guide to Network Security , 2001 .

[29]  Sherali Zeadally,et al.  Using Cloud Computing to Implement a Security Overlay Network , 2013, IEEE Security & Privacy.

[30]  Avishai Wool,et al.  Offline firewall analysis , 2006, International Journal of Information Security.

[31]  Vyas Sekar,et al.  Bohatei: Flexible and Elastic DDoS Defense , 2015, USENIX Security Symposium.

[32]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[33]  V. Rao Vemuri,et al.  Enhancing Computer Security with Smart Technology , 2005 .

[34]  Zhi Liu,et al.  Embark: Securely Outsourcing Middleboxes to the Cloud , 2016, NSDI.

[35]  Guy Pujolle,et al.  An architecture to manage performance and reliability on hybrid cloud-based firewalling , 2014, 2014 IEEE Network Operations and Management Symposium (NOMS).