Nothing Special   »   [go: up one dir, main page]

skip to main content
10.1145/1626195.1626242acmconferencesArticle/Chapter ViewAbstractPublication PagessinConference Proceedingsconference-collections
research-article

Resiliency of open-source firewalls against remote discovery of last-matching rules

Published: 06 October 2009 Publication History

Abstract

In today's networks, firewalls act as the first line of defense against unwanted and malicious traffics. Firewalls themselves can become targets of DoS attacks, thus jeopardizing their primary operation to filter traffic. Typically, packets are checked against a firewall policy consisting (in many cases) of thousands of rules. Last-matching rules are located at the bottom of the ruleset and consume the most CPU processing power of firewalls. If these rules get discovered by an attacker, the attacker can effectively launch a low-rate DoS attack that can bring the firewall to its knees. In prior work [1], we proposed and evaluated a technique to remotely discover the last matching rules of the Linux Netfilter firewall. In this paper, we examine the effectiveness of such technique on the discovery of last-matching rules in two other popular open-source network firewalls, namely Linux IPSets and FreeBSD ipfw.

References

[1]
K. Salah, K. Sattar, M. Sqalli, and E. Alshaer, "A probing Technique for Discovering Last-Matching Rules of a Network Firewall," In Proc. of the 5th Intl' Conf' on Innovations in Information Technology (IIT'08), (December .2008). Al-Ain, UAE, 578--582.
[2]
A. El-Atawy, T. Samak, E. Al-Shaer, and H. Li, "Using Online Traffic Statistical Matching for Optimizing Packet Filtering Performance," Proceedings of the 26th IEEE INFOCOM'07, Anchorage, Alaska, May 6-12, 2007, pp. 866--874
[3]
H. Hamed, A. El-Atawy, and E. Al-Shaer, "Adaptive Statistical Optimization Techniques for Firewall Packet Filtering," Proceedings of the 25th IEEE INFOCOM'06, Barceloan, Spain, April 23-29, 2006.
[4]
T. Samak, A. El-Atawy, and E. Al-Shaer, "FireCracker: A Framework for Inferring Firewall Policy using Smart Probing," Proceedings of the 15th IEEE International Conference on Network Protocols (ICNP'07), Beijing, China, October 2007.
[5]
P. Gupta, "Algorithms for Routing Lookups and Packet Classification," PhD Thesis, Stanford University, 2000.
[6]
T. Lakshman and D. Stiliadis, "High-Speed Policy-based Packet Forwarding Using Efficient Multi-dimensional Range Matching," Proceedings of ACM SIGCOMM, 1998, Vancouver, pp. 203--214.
[7]
A. Hari, S. Suri, and G. Parulkar, "Detecting and Resolving Packet Filter Conflicts," Proceedings of IEEE INFOCOM, March 2000, pp. 1203--1212.
[8]
C.C. Zhang, M. Winslett, and C.A. Gunter, "On the Safety and Efficiency of Firewall Policy Deployment," Proceedings of IEEE Symposium on Security and Privacy, May 2007, Oakland, California.
[9]
A.X. Liu and M.G. Gouda, "Removing Redundancy from Packet Classifiers," Proceedings of ACM SIGCOMM, Portland, Oregon, August 2004.
[10]
M.K. Yoon, S. Chen, and Z. Zhang, "Reducing the Size of Rule Set in a Firewall," Proceedings of IEEE International Conference on Communications, ICC'07, June 2007, Glasgow, pp. 1247--1279
[11]
S. Cosby and D. Wallach, "Denial of Service via Algorithm Complexity Attacks," Proceedings of the 12th Usenix Security Symposium, Washington, DC, August 4-8, 2003.
[12]
B. Hickman, D. Newman, S. Tadjudin, and T. Martin, "Benchmarking Methodology for Firewall Performance," RFC3511, April 2003.
[13]
M. Lyu and L. Lau, "Firewall security: Policies, Testing and Performance Evaluation," Proceedings of the 24th IEEE International Computer Software and Applications Conference, COMSAC, October 25-28, 2000, Taipei, Taiwan, pp. 116--121
[14]
V. Santiraveewan and Y. Permpoontanalarp, "A Graph-based Methodology for Analyzing IP Spoofing Attack," Proceedings of the 18t6h IEEE International Conferenced on Advanced Information Networking and Applications, AINA, Fukuoka, Japan, 2004, pp. 227--231
[15]
S. Kamara, S. Fahmy, E. Schultz, F. Kerschbaum, and M. Frantzen, "Analysis of Vulnerabilities in Internet Firewalls," International journal of Computers and Security, Elsevier, Vol. 22, No. 3, 2003, pp. 214--232.
[16]
D. Goldsmith and M. Schiffman, "Firewalking: A Traceroute-like Analysis of IP Packet Responses to Determine Gateway Access Control Lists," 2008, http://www.packetfactory.net/firewalk/firewalk-final.html, October 1998.
[17]
R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1," RFC2616, June 1999.
[18]
C. Chi, L. Liu, L., and L. Zhang, "Quantitative Analysis on the Cacheability Factors of Web Objects," Proceedings of the 30th International Computer Software and Applications Conference (COMPSAC), September 2006, Chicago IL, September 2006, pp. 532--538.
[19]
Linux Netfilter, http://www.netfilter.org.
[20]
Linux IPsets, http://ipset.netfilter.org.
[21]
FreeBSD ipfw, http://www.freebsd.org/doc/en/books/handbook/firewalls-ipfw.html.

Cited By

View all
  • (2011)Acceleration of packet filtering using gpgpuProceedings of the 4th international conference on Security of information and networks10.1145/2070425.2070465(227-230)Online publication date: 14-Nov-2011
  • (2010)Discovering last-matching rules in popular open-source and commercial firewallsInternational Journal of Internet Protocol Technology10.1504/IJIPT.2010.0326125:1/2(23-31)Online publication date: 1-Apr-2010

Index Terms

  1. Resiliency of open-source firewalls against remote discovery of last-matching rules

    Recommendations

    Comments

    Please enable JavaScript to view thecomments powered by Disqus.

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    SIN '09: Proceedings of the 2nd international conference on Security of information and networks
    October 2009
    322 pages
    ISBN:9781605584126
    DOI:10.1145/1626195
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 06 October 2009

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. dos attacks
    2. firewalls
    3. nework security

    Qualifiers

    • Research-article

    Conference

    SIN '09
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 102 of 289 submissions, 35%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)3
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 23 Nov 2024

    Other Metrics

    Citations

    Cited By

    View all
    • (2011)Acceleration of packet filtering using gpgpuProceedings of the 4th international conference on Security of information and networks10.1145/2070425.2070465(227-230)Online publication date: 14-Nov-2011
    • (2010)Discovering last-matching rules in popular open-source and commercial firewallsInternational Journal of Internet Protocol Technology10.1504/IJIPT.2010.0326125:1/2(23-31)Online publication date: 1-Apr-2010

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media