IEEE Access (Jan 2018)
Improved Session Table Architecture for Denial of Stateful Firewall Attacks
Abstract
Stateful firewalls keep track of the state of network connections. The performance of stateful firewalls depends mainly on the processing of session tables and the mechanism used for packet filtering. This paper presents a stateful session table architecture for a splay tree firewall. A splay tree firewall organizes firewall rules in a designated prefix length splay tree data structure, combined with a collection of hash tables grouped by a prefix length. When using a splay tree firewall, packet filtering time is essentially reduced through multilevel filtering paths, where unwanted packets are rejected as early as possible. The proposed session table architecture reduces memory space consumption and packet filtering time, as it uses one hash slot per connection. Keeping information related to each connection in one session entry produces additional processing time, particularly for processing session timeouts. The proposed session architecture separates session state and timeout information into different data structures. Under DoS attacks, the proposed architecture compares non-first packets directly with a splay tree firewall. Consequently, packets are rejected early on, and thus avoiding the extra computational overhead caused by hash function calculation and session table processing.
Keywords