TY - GEN
T1 - Adaptive early packet filtering for defending firewalls against DoS attacks
AU - El-Atawy, Adel
AU - Al-Shaer, Ehab
PY - 2009
Y1 - 2009
N2 - A major threat to data networks is based on the fact that some traffic can be expensive to classify and filter as it will undergo a longer than average list of filtering rules before being rejected by the default deny rule. An attacker with some information about the access-control list (ACL) deployed at a firewall or an intrusion detection and prevention system (IDS/IPS) can craft packets that will have maximum cost. In this paper, we present a technique that is light weight, traffic-adaptive and can be deployed on top of any filtering mechanism to pre-filter unwanted expensive traffic. The technique utilizes Internet traffic characteristics coupled with a special carefully tuned representation of the policy to generate early defense policies. We use Boolean expressions built as binary decision diagrams (BDD) to represent relaxed versions of the policy that are faster to evaluate. Moreover, it is guaranteed that the technique will not add an overhead that will not be compensated by the gain in filtering time in the underlying filtering method. Evaluation has shown considerable savings to the overall filtering process, thus saving the firewall processing power and increasing overall throughput. Also, the overhead changes according to the traffic behavior, and can be tuned to guarantee its worst case time cost.
AB - A major threat to data networks is based on the fact that some traffic can be expensive to classify and filter as it will undergo a longer than average list of filtering rules before being rejected by the default deny rule. An attacker with some information about the access-control list (ACL) deployed at a firewall or an intrusion detection and prevention system (IDS/IPS) can craft packets that will have maximum cost. In this paper, we present a technique that is light weight, traffic-adaptive and can be deployed on top of any filtering mechanism to pre-filter unwanted expensive traffic. The technique utilizes Internet traffic characteristics coupled with a special carefully tuned representation of the policy to generate early defense policies. We use Boolean expressions built as binary decision diagrams (BDD) to represent relaxed versions of the policy that are faster to evaluate. Moreover, it is guaranteed that the technique will not add an overhead that will not be compensated by the gain in filtering time in the underlying filtering method. Evaluation has shown considerable savings to the overall filtering process, thus saving the firewall processing power and increasing overall throughput. Also, the overhead changes according to the traffic behavior, and can be tuned to guarantee its worst case time cost.
UR - http://www.scopus.com/inward/record.url?scp=70349659341&partnerID=8YFLogxK
U2 - 10.1109/INFCOM.2009.5062171
DO - 10.1109/INFCOM.2009.5062171
M3 - Conference contribution
AN - SCOPUS:70349659341
SN - 9781424435135
T3 - Proceedings - IEEE INFOCOM
SP - 2437
EP - 2445
BT - IEEE INFOCOM 2009 - The 28th Conference on Computer Communications
T2 - 28th Conference on Computer Communications, IEEE INFOCOM 2009
Y2 - 19 April 2009 through 25 April 2009
ER -