A potential low-rate DoS attack against network firewalls
| Autor: | K. Sattar, Mohammed H. Sqalli, Ehab Al-Shaer, Khaled Salah |
|---|---|
| Rok vydání: | 2009 |
| Předmět: |
Bastion host
Computer Networks and Communications business.industry DMZ Network security Computer science ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS Internet security Computer security computer.software_genre Context-based access control Firewall (construction) Stateful firewall Application firewall business computer Information Systems Computer network |
| Zdroj: | Security and Communication Networks. 4:136-146 |
| ISSN: | 1939-0114 |
| DOI: | 10.1002/sec.118 |
| Popis: | In this paper we identify a potential Denial of Service (DoS) attack that targets the last-matching rules of the security policy of a firewall. The last-matching rules are those rules that are located at the bottom of the ruleset of a firewall's security policy, and would require the most processing time by the firewall. If these rules are discovered, an attacker can potentially launch an effective low-rate DoS attack to trigger worst-case or near worst-case processing, thereby overwhelming the firewall and bringing it to its knees. In this paper, we present a probing technique to remotely discover the last-matching rules of a firewall. We study experimentally the effectiveness of this probing technique taking into account important factors such as the firewall's motherboard architecture and load conditions at network links and hosts. In addition we examine the impact of launching a low-rate DoS attack on a firewall's performance. The performance is studied in terms of the firewall's CPU utilization and throughput, packet loss, and latency. Copyright © 2009 John Wiley & Sons, Ltd. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|