Abstract
In this paper we identify a potential Denial of Service (DoS) attack that targets the last-matching rules of the security policy of a firewall. The last-matching rules are those rules that are located at the bottom of the ruleset of a firewall's security policy, and would require the most processing time by the firewall. If these rules are discovered, an attacker can potentially launch an effective low-rate DoS attack to trigger worst-case or near worst-case processing, thereby overwhelming the firewall and bringing it to its knees. In this paper, we present a probing technique to remotely discover the last-matching rules of a firewall. We study experimentally the effectiveness of this probing technique taking into account important factors such as the firewall's motherboard architecture and load conditions at network links and hosts. In addition we examine the impact of launching a low-rate DoS attack on a firewall's performance. The performance is studied in terms of the firewall's CPU utilization and throughput, packet loss, and latency.
| Original language | English |
|---|---|
| Pages (from-to) | 136-146 |
| Number of pages | 11 |
| Journal | Security and Communication Networks |
| Volume | 4 |
| Issue number | 2 |
| DOIs | |
| State | Published - Feb 2011 |
Bibliographical note
Funding Information:M?nica Borunda wish to thank Consejo Nacional de Ciencia y Tecnolog?a, CONACYT, support for her Catedra Research Position with ID 71557, and to Instituto de Investigaciones El?ctricas, IIE, for its hospitality. This work has been partially supported by PAPIIT-UNAM under the project IT100514. We thank Maximiliano Valdez Gonz?lez for his technical support in the network management.
Keywords
- Complexity-algorithm attacks
- DoS attacks
- Firewalls
- Network security
ASJC Scopus subject areas
- Information Systems
- Computer Networks and Communications