ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Resiliency of open-source firewalls against remote discovery of last-matching rules
Full text PdfPdf (619 KB)
Source
International Conference on Security of Information and Networks archive
Proceedings of the 2nd international conference on Security of information and networks table of contents
North Cyprus, Turkey
SESSION: SA.1 AI: attacks and intrusion detection table of contents
Pages 186-192  
Year of Publication: 2009
ISBN:978-1-60558-412-6
Authors
Khaled Salah  King Fahd University of Petroleum and Engineering, Dhahran, Saudi Arabia
Karim Sattar  King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia
Zubair Baig  King Fahd University of Petroleum and Engineering, Dhahran, Saudi Arabia
Mohammed Sqalli  King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia
Prasad Calyam  The Ohio State University, Columbus, OH, USA
Sponsor
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 24,   Downloads (12 Months): 24,   Citation Count: 0
Additional Information:

abstract   references   index terms  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1626195.1626242
What is a DOI?

ABSTRACT

In today's networks, firewalls act as the first line of defense against unwanted and malicious traffics. Firewalls themselves can become targets of DoS attacks, thus jeopardizing their primary operation to filter traffic. Typically, packets are checked against a firewall policy consisting (in many cases) of thousands of rules. Last-matching rules are located at the bottom of the ruleset and consume the most CPU processing power of firewalls. If these rules get discovered by an attacker, the attacker can effectively launch a low-rate DoS attack that can bring the firewall to its knees. In prior work [1], we proposed and evaluated a technique to remotely discover the last matching rules of the Linux Netfilter firewall. In this paper, we examine the effectiveness of such technique on the discovery of last-matching rules in two other popular open-source network firewalls, namely Linux IPSets and FreeBSD ipfw.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
K. Salah, K. Sattar, M. Sqalli, and E. Alshaer, "A probing Technique for Discovering Last-Matching Rules of a Network Firewall," In Proc. of the 5th Intl' Conf' on Innovations in Information Technology (IIT'08), (December .2008). Al-Ain, UAE, 578--582.
 
2
A. El-Atawy, T. Samak, E. Al-Shaer, and H. Li, "Using Online Traffic Statistical Matching for Optimizing Packet Filtering Performance," Proceedings of the 26th IEEE INFOCOM'07, Anchorage, Alaska, May 6-12, 2007, pp. 866--874
 
3
H. Hamed, A. El-Atawy, and E. Al-Shaer, "Adaptive Statistical Optimization Techniques for Firewall Packet Filtering," Proceedings of the 25th IEEE INFOCOM'06, Barceloan, Spain, April 23-29, 2006.
 
4
T. Samak, A. El-Atawy, and E. Al-Shaer, "FireCracker: A Framework for Inferring Firewall Policy using Smart Probing," Proceedings of the 15th IEEE International Conference on Network Protocols (ICNP'07), Beijing, China, October 2007.
 
5
P. Gupta, "Algorithms for Routing Lookups and Packet Classification," PhD Thesis, Stanford University, 2000.
 
6
T. Lakshman and D. Stiliadis, "High-Speed Policy-based Packet Forwarding Using Efficient Multi-dimensional Range Matching," Proceedings of ACM SIGCOMM, 1998, Vancouver, pp. 203--214.
 
7
A. Hari, S. Suri, and G. Parulkar, "Detecting and Resolving Packet Filter Conflicts," Proceedings of IEEE INFOCOM, March 2000, pp. 1203--1212.
 
8
C.C. Zhang, M. Winslett, and C.A. Gunter, "On the Safety and Efficiency of Firewall Policy Deployment," Proceedings of IEEE Symposium on Security and Privacy, May 2007, Oakland, California.
 
9
A.X. Liu and M.G. Gouda, "Removing Redundancy from Packet Classifiers," Proceedings of ACM SIGCOMM, Portland, Oregon, August 2004.
 
10
M.K. Yoon, S. Chen, and Z. Zhang, "Reducing the Size of Rule Set in a Firewall," Proceedings of IEEE International Conference on Communications, ICC'07, June 2007, Glasgow, pp. 1247--1279
 
11
S. Cosby and D. Wallach, "Denial of Service via Algorithm Complexity Attacks," Proceedings of the 12th Usenix Security Symposium, Washington, DC, August 4-8, 2003.
 
12
B. Hickman, D. Newman, S. Tadjudin, and T. Martin, "Benchmarking Methodology for Firewall Performance," RFC3511, April 2003.
 
13
M. Lyu and L. Lau, "Firewall security: Policies, Testing and Performance Evaluation," Proceedings of the 24th IEEE International Computer Software and Applications Conference, COMSAC, October 25-28, 2000, Taipei, Taiwan, pp. 116--121
 
14
V. Santiraveewan and Y. Permpoontanalarp, "A Graph-based Methodology for Analyzing IP Spoofing Attack," Proceedings of the 18t6h IEEE International Conferenced on Advanced Information Networking and Applications, AINA, Fukuoka, Japan, 2004, pp. 227--231
 
15
S. Kamara, S. Fahmy, E. Schultz, F. Kerschbaum, and M. Frantzen, "Analysis of Vulnerabilities in Internet Firewalls," International journal of Computers and Security, Elsevier, Vol. 22, No. 3, 2003, pp. 214--232.
 
16
D. Goldsmith and M. Schiffman, "Firewalking: A Traceroute-like Analysis of IP Packet Responses to Determine Gateway Access Control Lists," 2008, http://www.packetfactory.net/firewalk/firewalk-final.html, October 1998.
 
17
R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1," RFC2616, June 1999.
 
18
C. Chi, L. Liu, L., and L. Zhang, "Quantitative Analysis on the Cacheability Factors of Web Objects," Proceedings of the 30th International Computer Software and Applications Conference (COMPSAC), September 2006, Chicago IL, September 2006, pp. 532--538.
 
19
Linux Netfilter, http://www.netfilter.org.
 
20
Linux IPsets, http://ipset.netfilter.org.
 
21
FreeBSD ipfw, http://www.freebsd.org/doc/en/books/handbook/firewalls-ipfw.html.

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)


General Terms:
Experimentation, Measurement, Performance, Security


Keywords:
dos attacks, firewalls, nework security


The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player