Skip to main content
SpringerLink
Log in

UDP State Manipulation: Description of a Packet Filtering Vulnerability in Stateful Firewalls

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14551))

Included in the following conference series:

  • 44 Accesses

Abstract

Firewalls are essential components for security enforcement in a network, as they are the first layer of protection from unwanted traffic and cyber-attacks. While the requirements for efficiency led to the design of ever more complex systems, evolving from stateless to stateful firewalls, this complexity induced new vulnerabilities. In this paper, we discuss a new vulnerability present in Packet Filtering that we called Vulnerability on Firewall States (Von-FS). It is due to three factors: 1) once a state is up, traffic going through it is not checked anymore, 2) a state timeout is refreshed when a packet matches it, and 3) pushing a blocking/dropping rule in the firewall does not automatically delete obsolete states. This vulnerability can be used by legacy attacks to be more stealthy and more difficult to stop when detected. Our study shows that many commercial and open-source firewalls are subject to this vulnerability. We propose a mitigation solution that consists of deleting all obsolete states whenever a dropping rule is pushed. We evaluated this idea by patching a well-known open-source firewall, FreeBSD. Experiments show that the impact on firewall performance is very low.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://access.redhat.com/discussions/5165651.

  2. 2.

    https://unix.stackexchange.com/questions/527867/force-iptables-to-immediately-put-drop-rule-into-effect.

  3. 3.

    https://www.freebsd.org.

  4. 4.

    https://github.com/aligungr/UERANSIM.

  5. 5.

    https://suricata.io/.

  6. 6.

    https://www.drools.org/.

  7. 7.

    https://www.freebsd.org/.

  8. 8.

    https://kafka.apache.org/.

  9. 9.

    https://scapy.net.

  10. 10.

    https://www.juniper.net/documentation/us/en/software/junos/security-policies/index.html.

  11. 11.

    https://cert.ssi.gouv.fr.

References

  1. Gregg, M. (ed.): Hack the Stack, pp. 151–203. Syngress. https://doi.org/10.1016/B978-159749109-9/50009-5, https://www.sciencedirect.com/science/article/pii/B9781597491099500095

  2. Garcia, N.M., Gil, F., Matos, B., Yahaya, C., Pombo, N., Goleva, R.I.: Keyed user datagram protocol: concepts and operation of an almost reliable connectionless transport protocol. IEEE Access 7, 18951–18963 (2018). https://doi.org/10.1109/ACCESS.2018.2886707

  3. Gouda, M.G., Liu, A.X.: A model of stateful firewalls and its properties. In: 2005 International Conference on Dependable Systems and Networks (DSN’05), pp. 128–137. IEEE (2005)

    Google Scholar 

  4. Huang, H., Hu, L., Chu, J., Cheng, X.: An authentication scheme to defend against UDP DrDoS attacks in 5g networks. IEEE Access 7, 175970–175979 (2019). https://doi.org/10.1109/ACCESS.2019.2957565

  5. Hussain, M.A., Jin, H., Hussien, Z.A., Abduljabbar, Z.A., Abbdal, S.H., Ibrahim, A.: DNS protection against spoofing and poisoning attacks. In: 2016 3rd International Conference on Information Science and Control Engineering (ICISCE), pp. 1308–1312 (2016). https://doi.org/10.1109/ICISCE.2016.279

  6. IBM whitepaper: An architectural blueprint for autonomic computing

    Google Scholar 

  7. Kim, H., Pak, W., Ju, H.: Correlation analysis between inference accuracy and inference parameters for stateless firewall policy. In: 2013 15th Asia-Pacific Network Operations and Management Symposium (APNOMS), pp. 1–6 (2013)

    Google Scholar 

  8. Klein, A.: Subverting stateful firewalls with protocol states. In: Proceedings 2022 Network and Distributed System Security Symposium. Internet Society. https://doi.org/10.14722/ndss.2022.23037, https://www.ndss-symposium.org/wp-content/uploads/2022-37-paper.pdf

  9. McCanne, S., Jacobson, V.: The BSD packet filter: a new architecture for user-level packet capture. In: USENIX Winter, vol. 46 (1993)

    Google Scholar 

  10. Sassani, B.A., Abarro, C., Pitton, I., Young, C., Mehdipour, F.: Analysis of NTP DRDoS attacks’ performance effects and mitigation techniques. In: 2016 14th Annual Conference on Privacy, Security and Trust (PST), pp. 421–427 (2016). https://doi.org/10.1109/PST.2016.7906966

  11. Trabelsi, Z., Zeidan, S.: Resilence of network stateful firewalls against emerging dos attacks: a case study of the blacknurse attack. In: 2019 IEEE/ACS 16th International Conference on Computer Systems and Applications (AICCSA), pp. 1–8 (2019). https://doi.org/10.1109/AICCSA47632.2019.9035323

Download references

Author information

Authors and Affiliations

  1. Institute of Research and Technology b<>com, Rennes, France

    Wassim Koribeche, David Espes & Cédric Morin

  2. Université de Bretagne Occidentale, Brest, France

    Wassim Koribeche & David Espes

Authors
  1. Wassim Koribeche
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. David Espes
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Cédric Morin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wassim Koribeche .

Editor information

Editors and Affiliations

  1. University of Bordeaux, Bordeaux, France

    Mohamed Mosbah

  2. Toulouse III - Paul Sabatier University, Toulouse, France

    Florence Sèdes

  3. Université Laval, Québec, QC, Canada

    Nadia Tawbi

  4. University of Bordeaux, Bordeaux, France

    Toufik Ahmed

  5. Polytechnique Montréal, Montreal, QC, Canada

    Nora Boulahia-Cuppens

  6. Telecom SudParis, Palaiseau, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Koribeche, W., Espes, D., Morin, C. (2024). UDP State Manipulation: Description of a Packet Filtering Vulnerability in Stateful Firewalls. In: Mosbah, M., Sèdes, F., Tawbi, N., Ahmed, T., Boulahia-Cuppens, N., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2023. Lecture Notes in Computer Science, vol 14551. Springer, Cham. https://doi.org/10.1007/978-3-031-57537-2_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-57537-2_19

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-57536-5

  • Online ISBN: 978-3-031-57537-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation