Improved Session Table Architecture for Denial of Stateful Firewall Attacks

Abstract

Read online

Stateful firewalls keep track of the state of network connections. The performance of stateful firewalls depends mainly on the processing of session tables and the mechanism used for packet filtering. This paper presents a stateful session table architecture for a splay tree firewall. A splay tree firewall organizes firewall rules in a designated prefix length splay tree data structure, combined with a collection of hash tables grouped by a prefix length. When using a splay tree firewall, packet filtering time is essentially reduced through multilevel filtering paths, where unwanted packets are rejected as early as possible. The proposed session table architecture reduces memory space consumption and packet filtering time, as it uses one hash slot per connection. Keeping information related to each connection in one session entry produces additional processing time, particularly for processing session timeouts. The proposed session architecture separates session state and timeout information into different data structures. Under DoS attacks, the proposed architecture compares non-first packets directly with a splay tree firewall. Consequently, packets are rejected early on, and thus avoiding the extra computational overhead caused by hash function calculation and session table processing.

Keywords

• Network firewalls
• stateful firewall
• session table
• DoS attacks on session table
• packet classification
• early packet rejection