research-article

Resiliency of open-source firewalls against remote discovery of last-matching rules

Authors:

Mohammed Sqalli,

Prasad CalyamAuthors Info & Claims

SIN '09: Proceedings of the 2nd international conference on Security of information and networks

Pages 186 - 192

https://doi.org/10.1145/1626195.1626242

Published: 06 October 2009 Publication History

Abstract

In today's networks, firewalls act as the first line of defense against unwanted and malicious traffics. Firewalls themselves can become targets of DoS attacks, thus jeopardizing their primary operation to filter traffic. Typically, packets are checked against a firewall policy consisting (in many cases) of thousands of rules. Last-matching rules are located at the bottom of the ruleset and consume the most CPU processing power of firewalls. If these rules get discovered by an attacker, the attacker can effectively launch a low-rate DoS attack that can bring the firewall to its knees. In prior work [1], we proposed and evaluated a technique to remotely discover the last matching rules of the Linux Netfilter firewall. In this paper, we examine the effectiveness of such technique on the discovery of last-matching rules in two other popular open-source network firewalls, namely Linux IPSets and FreeBSD ipfw.

References

[1]

K. Salah, K. Sattar, M. Sqalli, and E. Alshaer, "A probing Technique for Discovering Last-Matching Rules of a Network Firewall," In Proc. of the 5th Intl' Conf' on Innovations in Information Technology (IIT'08), (December .2008). Al-Ain, UAE, 578--582.

[2]

A. El-Atawy, T. Samak, E. Al-Shaer, and H. Li, "Using Online Traffic Statistical Matching for Optimizing Packet Filtering Performance," Proceedings of the 26th IEEE INFOCOM'07, Anchorage, Alaska, May 6-12, 2007, pp. 866--874

[3]

H. Hamed, A. El-Atawy, and E. Al-Shaer, "Adaptive Statistical Optimization Techniques for Firewall Packet Filtering," Proceedings of the 25th IEEE INFOCOM'06, Barceloan, Spain, April 23-29, 2006.

[4]

T. Samak, A. El-Atawy, and E. Al-Shaer, "FireCracker: A Framework for Inferring Firewall Policy using Smart Probing," Proceedings of the 15th IEEE International Conference on Network Protocols (ICNP'07), Beijing, China, October 2007.

[5]

P. Gupta, "Algorithms for Routing Lookups and Packet Classification," PhD Thesis, Stanford University, 2000.

Digital Library

[6]

T. Lakshman and D. Stiliadis, "High-Speed Policy-based Packet Forwarding Using Efficient Multi-dimensional Range Matching," Proceedings of ACM SIGCOMM, 1998, Vancouver, pp. 203--214.

Digital Library

[7]

A. Hari, S. Suri, and G. Parulkar, "Detecting and Resolving Packet Filter Conflicts," Proceedings of IEEE INFOCOM, March 2000, pp. 1203--1212.

[8]

C.C. Zhang, M. Winslett, and C.A. Gunter, "On the Safety and Efficiency of Firewall Policy Deployment," Proceedings of IEEE Symposium on Security and Privacy, May 2007, Oakland, California.

Digital Library

[9]

A.X. Liu and M.G. Gouda, "Removing Redundancy from Packet Classifiers," Proceedings of ACM SIGCOMM, Portland, Oregon, August 2004.

[10]

M.K. Yoon, S. Chen, and Z. Zhang, "Reducing the Size of Rule Set in a Firewall," Proceedings of IEEE International Conference on Communications, ICC'07, June 2007, Glasgow, pp. 1247--1279

[11]

S. Cosby and D. Wallach, "Denial of Service via Algorithm Complexity Attacks," Proceedings of the 12th Usenix Security Symposium, Washington, DC, August 4-8, 2003.

Digital Library

[12]

B. Hickman, D. Newman, S. Tadjudin, and T. Martin, "Benchmarking Methodology for Firewall Performance," RFC3511, April 2003.

[13]

M. Lyu and L. Lau, "Firewall security: Policies, Testing and Performance Evaluation," Proceedings of the 24th IEEE International Computer Software and Applications Conference, COMSAC, October 25-28, 2000, Taipei, Taiwan, pp. 116--121

Digital Library

[14]

V. Santiraveewan and Y. Permpoontanalarp, "A Graph-based Methodology for Analyzing IP Spoofing Attack," Proceedings of the 18t6h IEEE International Conferenced on Advanced Information Networking and Applications, AINA, Fukuoka, Japan, 2004, pp. 227--231

Digital Library

[15]

S. Kamara, S. Fahmy, E. Schultz, F. Kerschbaum, and M. Frantzen, "Analysis of Vulnerabilities in Internet Firewalls," International journal of Computers and Security, Elsevier, Vol. 22, No. 3, 2003, pp. 214--232.

Digital Library

[16]

D. Goldsmith and M. Schiffman, "Firewalking: A Traceroute-like Analysis of IP Packet Responses to Determine Gateway Access Control Lists," 2008, http://www.packetfactory.net/firewalk/firewalk-final.html, October 1998.

[17]

R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1," RFC2616, June 1999.

[18]

C. Chi, L. Liu, L., and L. Zhang, "Quantitative Analysis on the Cacheability Factors of Web Objects," Proceedings of the 30th International Computer Software and Applications Conference (COMPSAC), September 2006, Chicago IL, September 2006, pp. 532--538.

Digital Library

[19]

Linux Netfilter, http://www.netfilter.org.

[20]

Linux IPsets, http://ipset.netfilter.org.

[21]

FreeBSD ipfw, http://www.freebsd.org/doc/en/books/handbook/firewalls-ipfw.html.

Cited By

Gaur MLaxmi VV. LCahndra KZwolinski MOrgun MElçi AMakarevich OHuss SPieprzyk JBabenko LChefranov AShankaran R(2011)Acceleration of packet filtering using gpgpuProceedings of the 4th international conference on Security of information and networks10.1145/2070425.2070465(227-230)Online publication date: 14-Nov-2011
https://dl.acm.org/doi/10.1145/2070425.2070465
Salah KSattar KBaig ZSqalli MCalyam P(2010)Discovering last-matching rules in popular open-source and commercial firewallsInternational Journal of Internet Protocol Technology10.1504/IJIPT.2010.0326125:1/2(23-31)Online publication date: 1-Apr-2010
https://dl.acm.org/doi/10.1504/IJIPT.2010.032612

Index Terms

Resiliency of open-source firewalls against remote discovery of last-matching rules
1. Security and privacy
  1. Network security

Recommendations

Discovering last-matching rules in popular open-source and commercial firewalls

Denial of service (DoS) attacks pose a major threat to the smooth operations of critical network resources. Network firewalls act as the first line of defence against unwanted and malicious traffic. Firewalls themselves can become target of DoS attacks. ...
An Entropy-Based Countermeasure against Intelligent DoS Attacks Targeting Firewalls
POLICY '09: Proceedings of the 2009 IEEE International Symposium on Policies for Distributed Systems and Networks

Denial of Service (DoS) attacks are very dangerous as they consume resources at the network and transport layers. Firewalls are considered as the first line of defense in any network. An attacker may use probing to learn a firewall’s policy, and then ...
An entropy-based countermeasure against intelligent dos attacks targeting firewalls
POLICY'09: Proceedings of the 10th IEEE international conference on Policies for distributed systems and networks

Denial of Service (DoS) attacks are very dangerous as they Consume resources at the network and transport layers. Firewalls are considered as the first line of defence in any network. An attacker may use probing to learn a firewall's policy, and then ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SIN '09: Proceedings of the 2nd international conference on Security of information and networks

October 2009

322 pages

ISBN:9781605584126

DOI:10.1145/1626195

General Chairs:
Atilla Elçi
Eastern Mediterranean University, North Cyprus
,
Oleg Makarevich
Southern Federal University, Russia
,
Mehmet Orgun
Macquarie University, Australia
,
Program Chairs:
Alexander Chefranov
Eastern Mediterranean University, North Cyprus
,
Josef Pieprzyk
Macquarie University, Australia
,
Yuri Anatolievich Bryukhomitsky
Southern Federal University, Russia
,
Sıddıka Berna Örs
İstanbul Technical University, Turkey

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 October 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SIN '09

Sponsor:

SIGSAC

SIN '09: 2nd International Conference of Security of Information and Networks

October 6 - 10, 2009

Famagusta, North Cyprus

Acceptance Rates

Overall Acceptance Rate 102 of 289 submissions, 35%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
476
Total Downloads

Downloads (Last 12 months)3
Downloads (Last 6 weeks)0

Reflects downloads up to 19 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Gaur MLaxmi VV. LCahndra KZwolinski MOrgun MElçi AMakarevich OHuss SPieprzyk JBabenko LChefranov AShankaran R(2011)Acceleration of packet filtering using gpgpuProceedings of the 4th international conference on Security of information and networks10.1145/2070425.2070465(227-230)Online publication date: 14-Nov-2011
https://dl.acm.org/doi/10.1145/2070425.2070465
Salah KSattar KBaig ZSqalli MCalyam P(2010)Discovering last-matching rules in popular open-source and commercial firewallsInternational Journal of Internet Protocol Technology10.1504/IJIPT.2010.0326125:1/2(23-31)Online publication date: 1-Apr-2010
https://dl.acm.org/doi/10.1504/IJIPT.2010.032612

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents