Improved session table architecture for denial of stateful firewall attacks

Zouheir Trabelsi, Safaa Zeidan, Khaled Shuaib, Khaled Salah

Research output: Contribution to journalArticlepeer-review

12 Citations (Scopus)


Stateful firewalls keep track of the state of network connections. The performance of stateful firewalls depends mainly on the processing of session tables and the mechanism used for packet filtering. This paper presents a stateful session table architecture for a splay tree firewall. A splay tree firewall organizes firewall rules in a designated prefix length splay tree data structure, combined with a collection of hash tables grouped by a prefix length. When using a splay tree firewall, packet filtering time is essentially reduced through multilevel filtering paths, where unwanted packets are rejected as early as possible. The proposed session table architecture reduces memory space consumption and packet filtering time, as it uses one hash slot per connection. Keeping information related to each connection in one session entry produces additional processing time, particularly for processing session timeouts. The proposed session architecture separates session state and timeout information into different data structures. Under DoS attacks, the proposed architecture compares non-first packets directly with a splay tree firewall. Consequently, packets are rejected early on, and thus avoiding the extra computational overhead caused by hash function calculation and session table processing.

Original languageEnglish
Pages (from-to)35528-35543
Number of pages16
JournalIEEE Access
Publication statusPublished - Jun 24 2018


  • DoS attacks on session table
  • Network firewalls
  • early packet rejection
  • hash table
  • packet classification
  • session table
  • splay tree
  • stateful firewall

ASJC Scopus subject areas

  • General Computer Science
  • General Materials Science
  • General Engineering


Dive into the research topics of 'Improved session table architecture for denial of stateful firewall attacks'. Together they form a unique fingerprint.

Cite this