A potential low-rate DoS attack against network firewalls
Version of Record online: 12 JUN 2009
Copyright © 2009 John Wiley & Sons, Ltd.
Security and Communication Networks
Volume 4, Issue 2, pages 136–146, February 2011
How to Cite
Salah, K., Sattar, K., Sqalli, M. and Al-Shaer, E. (2011), A potential low-rate DoS attack against network firewalls. Security Comm. Networks, 4: 136–146. doi: 10.1002/sec.118
- Issue online: 12 JUN 2009
- Version of Record online: 12 JUN 2009
- King Fahd University of Petroleum
- Minerals in completion
- network security;
- DoS attacks;
- complexity-algorithm attacks
In this paper we identify a potential Denial of Service (DoS) attack that targets the last-matching rules of the security policy of a firewall. The last-matching rules are those rules that are located at the bottom of the ruleset of a firewall's security policy, and would require the most processing time by the firewall. If these rules are discovered, an attacker can potentially launch an effective low-rate DoS attack to trigger worst-case or near worst-case processing, thereby overwhelming the firewall and bringing it to its knees. In this paper, we present a probing technique to remotely discover the last-matching rules of a firewall. We study experimentally the effectiveness of this probing technique taking into account important factors such as the firewall's motherboard architecture and load conditions at network links and hosts. In addition we examine the impact of launching a low-rate DoS attack on a firewall's performance. The performance is studied in terms of the firewall's CPU utilization and throughput, packet loss, and latency. Copyright © 2009 John Wiley & Sons, Ltd.