A network challenge identification strategy based on firewall performance analysis

Abstract

In this papper, we study a resource starvation challenge caused by low rate DoS (Denial of Service)-DDoS (Distributed DoS) attacks targeting the last-matching rules of the firewall's security policy. Our onset challenge detection mechanisms considers a CPU utilization threshold to keep track of firewall processing performance. In this way, when this threshold is reached, an initial alarm of the occurrence of an attack is triggered. Such a methodology enable to deploy an strategy of impact mitigation. Initial remediation actions against challenges are then considered once the detection part is performed, it includes the temporary swap of the most likely last-rule matched, in order to improve the system performance. We evaluate our strategy through simulations performed in Network Simulator 2, results show the performance of this scheme when subjected to normal traffic flows as well as DoS and DDoS attack flows.