Discovering last-matching rules in popular open-source and commercial firewalls

Abstract

Denial of service (DoS) attacks pose a major threat to the smooth operations of critical network resources. Network firewalls act as the first line of defence against unwanted and malicious traffic. Firewalls themselves can become target of DoS attacks. In a prior work (Salah et al., 2009), we studied the resiliency and robustness of open-source network firewalls against the remote discovery of the last-matching rules. If last-matching rules are discovered, an attacker can launch an effective and slow-rate DoS attack which can bring down the firewall to its knees. In this paper, we examine and compare the resiliency of five of the most popular network firewalls, considering both open-source and commercial ones; namely, Linux NetFilter, Linux IPSets and FreeBSD ipfw, Cisco PIX and Cisco ASA. Our results show significant variations in the resiliency of these five firewall technologies, with Cisco ASA being the most resilient and Cisco PIX being the most vulnerable.