Resiliency of open-source firewalls against remote discovery of last-matching rules

Khaled Salah; Karim Sattar; Zubair Baig; Mohammed Sqalli; Prasad Calyam

doi:10.1145/1626195.1626242

Resiliency of open-source firewalls against remote discovery of last-matching rules

Khaled Salah, Karim Sattar, Zubair Baig, Mohammed Sqalli, Prasad Calyam

Electrical Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

3 Scopus citations

Abstract

In today's networks, firewalls act as the first line of defense against unwanted and malicious traffics. Firewalls themselves can become targets of DoS attacks, thus jeopardizing their primary operation to filter traffic. Typically, packets are checked against a firewall policy consisting (in many cases) of thousands of rules. Last-matching rules are located at the bottom of the ruleset and consume the most CPU processing power of firewalls. If these rules get discovered by an attacker, the attacker can effectively launch a low-rate DoS attack that can bring the firewall to its knees. In prior work [1], we proposed and evaluated a technique to remotely discover the last matching rules of the Linux Netfilter firewall. In this paper, we examine the effectiveness of such technique on the discovery of last-matching rules in two other popular open-source network firewalls, namely Linux IPSets and FreeBSD ipfw.

Original language	British English
Title of host publication	SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks
Pages	186-192
Number of pages	7
DOIs	https://doi.org/10.1145/1626195.1626242
State	Published - 2009
Event	2nd International Conference on Security of Information and Networks, SIN'09 - Famagusta, Cyprus Duration: 6 Oct 2009 → 10 Oct 2009

Publication series

Name	SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks

Conference

Conference	2nd International Conference on Security of Information and Networks, SIN'09
Country/Territory	Cyprus
City	Famagusta
Period	6/10/09 → 10/10/09

Keywords

DoS attacks
Firewalls
Nework security

Access to Document

10.1145/1626195.1626242

Cite this

Salah, K., Sattar, K., Baig, Z., Sqalli, M., & Calyam, P. (2009). Resiliency of open-source firewalls against remote discovery of last-matching rules. In SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks (pp. 186-192). Article 1626242 (SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks). https://doi.org/10.1145/1626195.1626242

@inproceedings{661b68ed404b4231ab9248ae5f37748c,

title = "Resiliency of open-source firewalls against remote discovery of last-matching rules",

abstract = "In today's networks, firewalls act as the first line of defense against unwanted and malicious traffics. Firewalls themselves can become targets of DoS attacks, thus jeopardizing their primary operation to filter traffic. Typically, packets are checked against a firewall policy consisting (in many cases) of thousands of rules. Last-matching rules are located at the bottom of the ruleset and consume the most CPU processing power of firewalls. If these rules get discovered by an attacker, the attacker can effectively launch a low-rate DoS attack that can bring the firewall to its knees. In prior work [1], we proposed and evaluated a technique to remotely discover the last matching rules of the Linux Netfilter firewall. In this paper, we examine the effectiveness of such technique on the discovery of last-matching rules in two other popular open-source network firewalls, namely Linux IPSets and FreeBSD ipfw.",

keywords = "DoS attacks, Firewalls, Nework security",

author = "Khaled Salah and Karim Sattar and Zubair Baig and Mohammed Sqalli and Prasad Calyam",

year = "2009",

doi = "10.1145/1626195.1626242",

language = "British English",

isbn = "9781605584126",

series = "SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks",

pages = "186--192",

booktitle = "SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks",

note = "2nd International Conference on Security of Information and Networks, SIN'09 ; Conference date: 06-10-2009 Through 10-10-2009",

}

Salah, K, Sattar, K, Baig, Z, Sqalli, M & Calyam, P 2009, Resiliency of open-source firewalls against remote discovery of last-matching rules. in SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks., 1626242, SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks, pp. 186-192, 2nd International Conference on Security of Information and Networks, SIN'09, Famagusta, Cyprus, 6/10/09. https://doi.org/10.1145/1626195.1626242

Resiliency of open-source firewalls against remote discovery of last-matching rules. / Salah, Khaled; Sattar, Karim; Baig, Zubair et al.
SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks. 2009. p. 186-192 1626242 (SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Resiliency of open-source firewalls against remote discovery of last-matching rules

AU - Salah, Khaled

AU - Sattar, Karim

AU - Baig, Zubair

AU - Sqalli, Mohammed

AU - Calyam, Prasad

PY - 2009

Y1 - 2009

N2 - In today's networks, firewalls act as the first line of defense against unwanted and malicious traffics. Firewalls themselves can become targets of DoS attacks, thus jeopardizing their primary operation to filter traffic. Typically, packets are checked against a firewall policy consisting (in many cases) of thousands of rules. Last-matching rules are located at the bottom of the ruleset and consume the most CPU processing power of firewalls. If these rules get discovered by an attacker, the attacker can effectively launch a low-rate DoS attack that can bring the firewall to its knees. In prior work [1], we proposed and evaluated a technique to remotely discover the last matching rules of the Linux Netfilter firewall. In this paper, we examine the effectiveness of such technique on the discovery of last-matching rules in two other popular open-source network firewalls, namely Linux IPSets and FreeBSD ipfw.

AB - In today's networks, firewalls act as the first line of defense against unwanted and malicious traffics. Firewalls themselves can become targets of DoS attacks, thus jeopardizing their primary operation to filter traffic. Typically, packets are checked against a firewall policy consisting (in many cases) of thousands of rules. Last-matching rules are located at the bottom of the ruleset and consume the most CPU processing power of firewalls. If these rules get discovered by an attacker, the attacker can effectively launch a low-rate DoS attack that can bring the firewall to its knees. In prior work [1], we proposed and evaluated a technique to remotely discover the last matching rules of the Linux Netfilter firewall. In this paper, we examine the effectiveness of such technique on the discovery of last-matching rules in two other popular open-source network firewalls, namely Linux IPSets and FreeBSD ipfw.

KW - DoS attacks

KW - Firewalls

KW - Nework security

UR - http://www.scopus.com/inward/record.url?scp=70350627491&partnerID=8YFLogxK

U2 - 10.1145/1626195.1626242

DO - 10.1145/1626195.1626242

M3 - Conference contribution

AN - SCOPUS:70350627491

SN - 9781605584126

T3 - SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks

SP - 186

EP - 192

BT - SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks

T2 - 2nd International Conference on Security of Information and Networks, SIN'09

Y2 - 6 October 2009 through 10 October 2009

ER -

Salah K, Sattar K, Baig Z, Sqalli M, Calyam P. Resiliency of open-source firewalls against remote discovery of last-matching rules. In SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks. 2009. p. 186-192. 1626242. (SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks). doi: 10.1145/1626195.1626242

Resiliency of open-source firewalls against remote discovery of last-matching rules

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this