Abstract
Firewalls are essential components for security enforcement in a network, as they are the first layer of protection from unwanted traffic and cyber-attacks. While the requirements for efficiency led to the design of ever more complex systems, evolving from stateless to stateful firewalls, this complexity induced new vulnerabilities. In this paper, we discuss a new vulnerability present in Packet Filtering that we called Vulnerability on Firewall States (Von-FS). It is due to three factors: 1) once a state is up, traffic going through it is not checked anymore, 2) a state timeout is refreshed when a packet matches it, and 3) pushing a blocking/dropping rule in the firewall does not automatically delete obsolete states. This vulnerability can be used by legacy attacks to be more stealthy and more difficult to stop when detected. Our study shows that many commercial and open-source firewalls are subject to this vulnerability. We propose a mitigation solution that consists of deleting all obsolete states whenever a dropping rule is pushed. We evaluated this idea by patching a well-known open-source firewall, FreeBSD. Experiments show that the impact on firewall performance is very low.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
References
Gregg, M. (ed.): Hack the Stack, pp. 151–203. Syngress. https://doi.org/10.1016/B978-159749109-9/50009-5, https://www.sciencedirect.com/science/article/pii/B9781597491099500095
Garcia, N.M., Gil, F., Matos, B., Yahaya, C., Pombo, N., Goleva, R.I.: Keyed user datagram protocol: concepts and operation of an almost reliable connectionless transport protocol. IEEE Access 7, 18951–18963 (2018). https://doi.org/10.1109/ACCESS.2018.2886707
Gouda, M.G., Liu, A.X.: A model of stateful firewalls and its properties. In: 2005 International Conference on Dependable Systems and Networks (DSN’05), pp. 128–137. IEEE (2005)
Huang, H., Hu, L., Chu, J., Cheng, X.: An authentication scheme to defend against UDP DrDoS attacks in 5g networks. IEEE Access 7, 175970–175979 (2019). https://doi.org/10.1109/ACCESS.2019.2957565
Hussain, M.A., Jin, H., Hussien, Z.A., Abduljabbar, Z.A., Abbdal, S.H., Ibrahim, A.: DNS protection against spoofing and poisoning attacks. In: 2016 3rd International Conference on Information Science and Control Engineering (ICISCE), pp. 1308–1312 (2016). https://doi.org/10.1109/ICISCE.2016.279
IBM whitepaper: An architectural blueprint for autonomic computing
Kim, H., Pak, W., Ju, H.: Correlation analysis between inference accuracy and inference parameters for stateless firewall policy. In: 2013 15th Asia-Pacific Network Operations and Management Symposium (APNOMS), pp. 1–6 (2013)
Klein, A.: Subverting stateful firewalls with protocol states. In: Proceedings 2022 Network and Distributed System Security Symposium. Internet Society. https://doi.org/10.14722/ndss.2022.23037, https://www.ndss-symposium.org/wp-content/uploads/2022-37-paper.pdf
McCanne, S., Jacobson, V.: The BSD packet filter: a new architecture for user-level packet capture. In: USENIX Winter, vol. 46 (1993)
Sassani, B.A., Abarro, C., Pitton, I., Young, C., Mehdipour, F.: Analysis of NTP DRDoS attacks’ performance effects and mitigation techniques. In: 2016 14th Annual Conference on Privacy, Security and Trust (PST), pp. 421–427 (2016). https://doi.org/10.1109/PST.2016.7906966
Trabelsi, Z., Zeidan, S.: Resilence of network stateful firewalls against emerging dos attacks: a case study of the blacknurse attack. In: 2019 IEEE/ACS 16th International Conference on Computer Systems and Applications (AICCSA), pp. 1–8 (2019). https://doi.org/10.1109/AICCSA47632.2019.9035323
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Koribeche, W., Espes, D., Morin, C. (2024). UDP State Manipulation: Description of a Packet Filtering Vulnerability in Stateful Firewalls. In: Mosbah, M., Sèdes, F., Tawbi, N., Ahmed, T., Boulahia-Cuppens, N., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2023. Lecture Notes in Computer Science, vol 14551. Springer, Cham. https://doi.org/10.1007/978-3-031-57537-2_19
Download citation
DOI: https://doi.org/10.1007/978-3-031-57537-2_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-57536-5
Online ISBN: 978-3-031-57537-2
eBook Packages: Computer ScienceComputer Science (R0)