A Delay-Based Countermeasure Against the Discovery of Default Rules in Firewalls

Abstract

Denial of service (DoS) attack is purely malicious and commonly used to overwhelm a network system making network resources unavailable to legitimate users. One such DoS attack is to target the firewall system of the enterprise, whereby the attacker sends a large number of malicious packets to the firewall making it unavailable for the legitimate users. To launch a smart and effective DoS attack, an attacker makes priori assumption about the order of the ruleset of the firewall. An effective firewall does not reveal its ruleset, policies, or information to the attacker. In this paper, we first present a process that can be used by an attacker to reconnoiter a firewall system at leisure to collect information about ruleset of a target firewall. The collected information can be used by the attacker to launch a slow-rate DoS attack against the firewall. We then propose a countermeasure technique “Delay Induced Response (DIR)” which utilizes the underlying principle of moving target defense as a cyber maneuver technique. In DIR, the network frequently changes its properties visible to the attacker in order to confuse the attacker from discovering information about the firewall policy or its ruleset. The primary objective in DIR is to delude the attacker in his efforts in discovering the order of the firewall ruleset—specifically, the last matching rule (also known as the “default rule”) in a firewall.