Session Table Architecture for Defending SYN Flood Attack

Li, Xin; Ji, Zhenzhou; Hu, Mingzeng

doi:10.1007/11602897_19

Cited by 8 publications

(8 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The mechanism used the natural properties of the splay tree firewall, and a session table architecture that is based on session attributes separation to deal with costly timeout attribute. In [31], fast session table manipulation algorithm is proposed to improve session timeout process. The algorithm covers multi-queue architectures however; it defends hosts only against SYN flood attack.…”

Section: Related Workmentioning

confidence: 99%

Thwarting ICMP Low-Rate Attacks Against Firewalls While Minimizing Legitimate Traffic Loss

et al. 2020

View full text Add to dashboard Cite

Low-rate distributed denial of service (LDDoS) attacks pose more challenging threats that disrupt network security devices and services. Such type of attacks is difficult to detect and mitigate. In LDDoS attacks, attacker uses low-volume of malicious traffic that looks alike legitimate traffic. Thus, it can enter the network in silence without any notice. However, it may have severe effect on disrupting network services, depleting system resources, and degrading network speed to a point considering them as one of the most damaging attack types. There are many types of LDDoS such as application server and ICMP error messages based LDDoS. This paper is solely concerned with the ICMP error messages based LDDoS. The paper proposes a mechanism to mitigate low-rate ICMP error message attacks targeting security devices, such as firewalls. The mechanism is based on triggering a rejection rule to defend against corresponding detected attack as early as possible, in order to preserve firewall resources. The rejection rule has certain adaptive activity time, during which the rule continues to reject related low-rate attack packets. This activity time is dynamically predicted for the next rule activation period according to current and previous attack severity and statistical parameters. However, the rule activity time needs to be stabilized in a manner in order to prevent any additional overhead to the system as well as to prevent incremental loss of corresponding legitimate packets. Experimental results demonstrate that the proposed mechanism can efficiently defend against incremental evasion cycle of low-rate attacks, and monitor rejection rule activity duration to minimize legitimate traffic loss. INDEX TERMS Low-rate attacks, BlackNurse attack, Stateful firewall, session table, attack probabilistic modeling.

show abstract

Section: Related Workmentioning

confidence: 99%

Thwarting ICMP Low-Rate Attacks Against Firewalls While Minimizing Legitimate Traffic Loss

et al. 2020

View full text Add to dashboard Cite

show abstract

“…Actually, most of existing researches were intended to investigate the architecture and processing of session table for the purpose of providing stronger security protection and increase firewall availability and scalability [12], [22], [16], [18], [23].…”

Section: B Stateful Packet Filtering Firewallmentioning

confidence: 99%

QoS-aware firewall session table

Mostafa

Kalam

Minuta

et al. 2011

2011 6th International Conference on Risks and Security of Internet and Systems (CRiSIS)

View full text Add to dashboard Cite

Packet classification is the process of matching multiple packet header fields against a possibly large set of filters to find a matching rule. Packet classification was implemented in several application areas such as service differentiation, firewalls, QoS and secure routing. In this paper, we extend the firewall session table to speed up QoS marking process, and thus, to save QoS Classification time. Our proposed algorithm and system have been implemented in the kernel of NetBSD. Experimental tests show that the new implementation can save about 10 μsec per packet if a QoS classification of 10000 filters is used. Moreover, the new implementation needs just less than 0.5 μsec to mark packet regardless of the size of the filtering rules. To evaluate the performance of our new implementation with respect to the QoS characteristics, we measured four important QoS metrics (throughput, packet loss rate, delay and jitter) and compared them with the classical implementation. We finally demonstrate that a significant enhancement is remarked using our new algorithm.

show abstract

“…These various settings of the timeout threshold implies that choosing a proper timeout value is not straightforward, motivating us to investigate the CFR algorithms. Calibrating TCP session-level time-outs is explored in [8], [11]. Kim et al [8] demonstrated that a long time-out threshold under SYN flooding results in a session table explosion.…”

Section: Related Workmentioning

confidence: 99%

“…To remove or disable entire set of stale (not recently touched) flows from memory, time-outs can generally be managed to evict outdated flows using a "touch bit" at the flow level [5], [10]. However, a time-out threshold [11], [8] has a trade-off in protecting flow memory and prematurely purging flows. If time-out is too short, it is less vulnerable to malicious attacks but active flows could be falsely removed.…”

Section: Introductionmentioning

confidence: 99%

Clock-like Flow Replacement Schemes for Resilient Flow Monitoring

Nam

Patankar

Lim

et al. 2009

2009 29th IEEE International Conference on Distributed Computing Systems

View full text Add to dashboard Cite

In the context of a collaborating surveillance system for active TCP sessions handled by a networking device, we consider two problems. The first is the problem of protecting a flow table from overflow and the second is developing an efficient algorithm for estimating the number of active flows coupled with the identification of "heavy-hitter" TCP sessions. Our proposed techniques are sensitive to limited hardware and software resources allocated for this purpose in the linecards in addition to the very high data rates that modern line cards handle; specifically we are interested in cooperatively maintaining a per-flow state with a low cost, which has resiliency on dynamic traffic mix. We investigate a traditional timeout processing mechanism to manage the flow table for per-flow monitoring, called Timeout-Based Purging (TBP), our proposed Clock-like Flow Replacement (CFR) algorithms using a replacement policy, called "clock", and a hybrid approach combining these two. Experiments with Internet traces show that our CFR schemes can significantly reduce both false positive and false negative rates, regardless of whether the flow table is fully occupied (even under SYN flooding) or sufficiently empty. Our hybrid scheme estimates the number of active flows accurately, and confines the heavy-hitters without storing packet counters.

show abstract

Session Table Architecture for Defending SYN Flood Attack

Cited by 8 publications

References 1 publication

Thwarting ICMP Low-Rate Attacks Against Firewalls While Minimizing Legitimate Traffic Loss

Thwarting ICMP Low-Rate Attacks Against Firewalls While Minimizing Legitimate Traffic Loss

QoS-aware firewall session table

Clock-like Flow Replacement Schemes for Resilient Flow Monitoring

Contact Info

Product

Resources

About