TY - JOUR
T1 - Improved session table architecture for denial of stateful firewall attacks
AU - Trabelsi, Zouheir
AU - Zeidan, Safaa
AU - Shuaib, Khaled
AU - Salah, Khaled
N1 - Funding Information:
This work was supported by UPAR under Grant 31T080.
Publisher Copyright:
© 2013 IEEE.
PY - 2018/6/24
Y1 - 2018/6/24
N2 - Stateful firewalls keep track of the state of network connections. The performance of stateful firewalls depends mainly on the processing of session tables and the mechanism used for packet filtering. This paper presents a stateful session table architecture for a splay tree firewall. A splay tree firewall organizes firewall rules in a designated prefix length splay tree data structure, combined with a collection of hash tables grouped by a prefix length. When using a splay tree firewall, packet filtering time is essentially reduced through multilevel filtering paths, where unwanted packets are rejected as early as possible. The proposed session table architecture reduces memory space consumption and packet filtering time, as it uses one hash slot per connection. Keeping information related to each connection in one session entry produces additional processing time, particularly for processing session timeouts. The proposed session architecture separates session state and timeout information into different data structures. Under DoS attacks, the proposed architecture compares non-first packets directly with a splay tree firewall. Consequently, packets are rejected early on, and thus avoiding the extra computational overhead caused by hash function calculation and session table processing.
AB - Stateful firewalls keep track of the state of network connections. The performance of stateful firewalls depends mainly on the processing of session tables and the mechanism used for packet filtering. This paper presents a stateful session table architecture for a splay tree firewall. A splay tree firewall organizes firewall rules in a designated prefix length splay tree data structure, combined with a collection of hash tables grouped by a prefix length. When using a splay tree firewall, packet filtering time is essentially reduced through multilevel filtering paths, where unwanted packets are rejected as early as possible. The proposed session table architecture reduces memory space consumption and packet filtering time, as it uses one hash slot per connection. Keeping information related to each connection in one session entry produces additional processing time, particularly for processing session timeouts. The proposed session architecture separates session state and timeout information into different data structures. Under DoS attacks, the proposed architecture compares non-first packets directly with a splay tree firewall. Consequently, packets are rejected early on, and thus avoiding the extra computational overhead caused by hash function calculation and session table processing.
KW - DoS attacks on session table
KW - Network firewalls
KW - early packet rejection
KW - hash table
KW - packet classification
KW - session table
KW - splay tree
KW - stateful firewall
UR - http://www.scopus.com/inward/record.url?scp=85049129717&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85049129717&partnerID=8YFLogxK
U2 - 10.1109/ACCESS.2018.2850345
DO - 10.1109/ACCESS.2018.2850345
M3 - Article
AN - SCOPUS:85049129717
SN - 2169-3536
VL - 6
SP - 35528
EP - 35543
JO - IEEE Access
JF - IEEE Access
ER -