Discovering last-matching rules in popular open-source and commercial firewalls
作者: K. Salah , K. Sattar , Z.A. Baig , M.H. Sqalli , P. Calyam
DOI: 10.1504/IJIPT.2010.032612
关键词: Computer network 、 Denial-of-service attack 、 First line 、 Cisco PIX 、 Firewall (construction) 、 Computer security 、 Robustness (computer science) 、 Telecommunication security 、 Computer science 、 Network security 、 Open source
摘要: Denial of service (DoS) attacks pose a major threat to the smooth operations critical network resources. Network firewalls act as first line defence against unwanted and malicious traffic. Firewalls themselves can become target DoS attacks. In prior work (Salah et al., 2009), we studied resiliency robustness open-source remote discovery last-matching rules. If rules are discovered, an attacker launch effective slow-rate attack which bring down firewall its knees. this paper, examine compare five most popular firewalls, considering both commercial ones; namely, Linux NetFilter, IPSets FreeBSD ipfw, Cisco PIX ASA. Our results show significant variations in these technologies, with ASA being resilient vulnerable.
sci-hub.se 参考文章(16)
Nicholas W. Mckeown, Pankaj Gupta, Algorithms for routing lookups and packet classification ,(2000)
Scott A. Crosby, Dan S. Wallach, Denial of service via algorithmic complexity attacks usenix security symposium. pp. 3- 3 ,(2003)
Khaled Salah, Karim Sattar, Zubair Baig, Mohammed Sqalli, Prasad Calyam, None, Resiliency of open-source firewalls against remote discovery of last-matching rules Proceedings of the 2nd international conference on Security of information and networks - SIN '09. pp. 186- 192 ,(2009) , 10.1145/1626195.1626242
Taghrid Samak, Adel El-Atawy, Ehab Al-Shaer, FireCracker: A Framework for Inferring Firewall Policies using Smart Probing international conference on network protocols. pp. 294- 303 ,(2007) , 10.1109/ICNP.2007.4375860
A. Hari, S. Suri, G. Parulkar, Detecting and resolving packet filter conflicts international conference on computer communications. ,vol. 3, pp. 1203- 1212 ,(2000) , 10.1109/INFCOM.2000.832496
H. Hamed, A. El-Atawy, E. Al-Shaer, Adaptive Statistical Optimization Techniques for Firewall Packet Filtering ieee international conference computer and communications. pp. 1- 12 ,(2006) , 10.1109/INFOCOM.2006.129
Chi-hung Chi, Lin Liu, Luwei Zhang, Quantitative Analysis on the Cacheability Factors of Web Objects computer software and applications conference. ,vol. 1, pp. 532- 538 ,(2006) , 10.1109/COMPSAC.2006.70
A. El-Atawy, T. Samak, E. Al-Shaer, H. Li, Using Online Traffic Statistical Matching for Optimizing Packet Filtering Performance ieee international conference computer and communications. pp. 866- 874 ,(2007) , 10.1109/INFCOM.2007.106
V. Santiraveewan, Y. Permpoontanalarp, A graph-based methodology for analyzing IP spoofing attack advanced information networking and applications. ,vol. 2, pp. 227- 230 ,(2004) , 10.1109/AINA.2004.1283792
M. Yoon, S. Chen, Z. Zhang, Reducing the Size of Rule Set in a Firewall international conference on communications. pp. 1274- 1279 ,(2007) , 10.1109/ICC.2007.215