Discovering last-matching rules in popular open-source and commercial firewalls

K. Salah, K. Sattar, Z. A. Baig, M. H. Sqalli, P. Calyam

Research output: Contribution to journalArticlepeer-review

3 Scopus citations


Denial of service (DoS) attacks pose a major threat to the smooth operations of critical network resources. Network firewalls act as the first line of defence against unwanted and malicious traffic. Firewalls themselves can become target of DoS attacks. In a prior work (Salah et al., 2009), we studied the resiliency and robustness of open-source network firewalls against the remote discovery of the last-matching rules. If last-matching rules are discovered, an attacker can launch an effective and slow-rate DoS attack which can bring down the firewall to its knees. In this paper, we examine and compare the resiliency of five of the most popular network firewalls, considering both open-source and commercial ones; namely, Linux NetFilter, Linux IPSets and FreeBSD ipfw, Cisco PIX and Cisco ASA. Our results show significant variations in the resiliency of these five firewall technologies, with Cisco ASA being the most resilient and Cisco PIX being the most vulnerable.

Original languageBritish English
Pages (from-to)23-31
Number of pages9
JournalInternational Journal of Internet Protocol Technology
Issue number1-2
StatePublished - Apr 2010


  • DoS attacks
  • Firewalls
  • Network security


Dive into the research topics of 'Discovering last-matching rules in popular open-source and commercial firewalls'. Together they form a unique fingerprint.

Cite this