Paper Info
Title
Improved Session Table Architecture for Denial of Stateful Firewall Attacks
Abstract
Stateful firewalls keep track of the state of network connections. The performance of stateful firewalls depends mainly on the processing of session tables and the mechanism used for packet filtering. This paper presents a stateful session table architecture for a splay tree firewall. A splay tree firewall organizes firewall rules in a designated prefix length splay tree data structure, combined with a collection of hash tables grouped by a prefix length. When using a splay tree firewall, packet filtering time is essentially reduced through multilevel filtering paths, where unwanted packets are rejected as early as possible. The proposed session table architecture reduces memory space consumption and packet filtering time, as it uses one hash slot per connection. Keeping information related to each connection in one session entry produces additional processing time, particularly for processing session timeouts. The proposed session architecture separates session state and timeout information into different data structures. Under DoS attacks, the proposed architecture compares non-first packets directly with a splay tree firewall. Consequently, packets are rejected early on, and thus avoiding the extra computational overhead caused by hash function calculation and session table processing.
Year
DOI
Venue
2018
10.1109/ACCESS.2018.2850345
IEEE ACCESS
Keywords
Field
DocType
Network firewalls,stateful firewall,session table,DoS attacks on session table,packet classification,early packet rejection,splay tree,hash table
Firewall (construction),Denial-of-service attack,Splay tree,Computer science,Network packet,Computer network,Memory management,Hash function,Stateful firewall,Hash table
Journal
Volume
ISSN
Citations 
6
2169-3536
0
PageRank 
References 
Authors
0.34
0
4
Name
Order
Citations
PageRank
Zouheir Trabelsi113627.78
Safaa Zeidan2255.54
Khaled Shuaib317833.20
Khaled Salah453569.86