Adaptive Early Packet Filtering for Defending Firewalls Against DoS Attacks

A major threat to data networks is based on the fact that some traffic can be expensive to classify and filter as it will undergo a longer than average list of filtering rules before being rejected by the default deny rule. An attacker with some information about the access-control list (ACL) deployed at a firewall or an intrusion detection and prevention system (IDS/IPS) can craft packets that will have maximum cost. In this paper, we present a technique that is light weight, traffic-adaptive and can be deployed on top of any filtering mechanism to pre-filter unwanted expensive traffic. The technique utilizes Internet traffic characteristics coupled with a special carefully tuned representation of the policy to generate early defense policies. We use Boolean expressions built as binary decision diagrams (BDD) to represent relaxed versions of the policy that are faster to evaluate. Moreover, it is guaranteed that the technique will not add an overhead that will not be compensated by the gain in filtering time in the underlying filtering method. Evaluation has shown considerable savings to the overall filtering process, thus saving the firewall processing power and increasing overall throughput. Also, the overhead changes according to the traffic behavior, and can be tuned to guarantee its worst case time cost.