Abstract
Algorithmic complexity vulnerabilities are an opportunity for an adversary to conduct a sophisticated kind of attack i.e. on network infrastructure services. Such attacks take advantage of worst case time or space complexity of algorithms implemented on devices in their software. In this paper we address potential risks introduced by such algorithmic behavior in computer networks in particular on a stateful firewall. First we introduce the idea and theoretical background for the attack. We then describe in full detail a successfully conducted attack which takes advantage of the worst case computational complexity of O(n 2) of a hash table data structure used to store active sessions. The attack at hand is initiated from a network protected by an stateful firewall router feature to a remote server causing a DoS (Denial of Service) on an industry grade router. Our experimental results using a real life network topology show that by generating undetected low bandwidth but malicious network traffic causing collisions in the firewall’s hash table we cause the firewall to become unreachable or even announce a segmentation fault and reboot itself.
Keywords
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
A dedicated router usually has a wider range of features regarding tampering with routing tables and routing process in general then a dedicated firewall. On the other hand a dedicated firewall has more features regarding security then a router.
- 2.
During the creation of the lab a host with Microsoft Windows operating system was first considered as well. It turned out, that originating more than 2000 connections from the Windows host using the ftp console command is problematic and makes the system unstable. So in attempt to tackle the problem a dedicated program for the FTP client was written in MS Visual Studio. The embedded optimization methods for managing connections in .NET Framework made the program to reuse exiting connections instead of creating new ones. Shortly after this all attempts to use Microsoft Windows as an attack platform were discontinued.
- 3.
The Cisco 2621XM Multiservice Router was in production till 2007 and its support was discontinued as of 2013. This device was chosen deliberately, because it was never the intension of authors to show product vulnerabilities of any particular vendor. We realize that similar mechanisms are applied by other manufacturers as well. Taking a no longer offered and supported device seamed the right choice to show that the issue is of importance, while, at the same time, not causing any damage whatsoever to the manufacturers reputation.
References
Miao, R., Yu, M., Jain, N.: NIMBUS: cloud-scale attack detection and mitigation. In: Proceedings of the ACM Conference on SIGCOMM, pp. 121–122 (2014)
Stevanovic, D., Vlajic, N., An, A.: Unsupervised clustering of Web sessions to detect malicious and non-malicious website users. Procedia Comput. Sci. 5, 123–131 (2011)
Suchacka, G., Sobków, M.: Detection of internet robots using a Bayesian approach. In: Proceedings of the 2nd IEEE International Conference on Cybernetics, Gdynia, Poland, pp. 365–370 (2015)
Tan, Z., Jamdagni, A., He, X., Nanda, P., Liu, R.P.: A system for denial-of-service attack detection based on multivariate correlation analysis. IEEE Trans. Parallel Distrib. Syst. 25(2), 447–456 (2014)
Tao, Y., Yu, S.: DDoS attack detection at local area networks using information theoretical metrics. In: Proceedings of the 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, pp. 233–240 (2013)
Thomas, H.C., Charles, E.L., Ronald, L.R., Clifford, S.: Introduction to algorithms, 3rd edn. ISBN: 9780262033848
Crosby, S.A., Wallach, D.S.: Denial of service via algorithmic complexity attacks. In: Proceedings of the 12th USENIX Security Symposium, pp. 29–44. USENIX Association, Berkeley, CA USA (2003)
Bar-Yosef, N., Wool, A.: Remote algorithmic complexity attacks against randomized hash tables. In: Filipe, J., Obaidat, M.S. (eds.) E-business and telecommunications ICETE 2007. CCIS, vol. 23, pp. 162–174. Springer, Heidelberg (2007)
Klink, A., Walde, J.: Efficient denial of service attacks on web application platforms (2011). https://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html
Quynh, H.: Recommendation for applications using approved hash algorithms. NIST technical report SP 800-107. National Institute of Standards and Technology Gaithersburg, MD, US (2009)
US cybercrime: Rising risks, reduced readiness key findings from the 2014 US State of Cybercrime Survey, PricewaterhouseCoopers LLP (2014). http://www.pwc.com/cybersecurity
Sedgewick, R., Wayne, K.: Algorithms, 4th edn. Addison-Wesley Professional, Boston (2011)
Mehlhorn, K.: Data structures and algorithms 1: sorting and searching, vol. 1. Springer, Heidelberg (1984)
Babka, M.: Properties of universal hashing. Master thesis, Charles University in Prague Faculty of Mathematics and Physics (2010). http://ktiml.mff.cuni.cz/~babka/hashing/thesis.pdf
Plackett, R.L.: Karl Pearson and the chi-squared test. Int. Stat. Rev. (International Statistical Institute, ISI) 51(1), 59–72 (1983)
Tanenbaum, A.S., Wetherall, D.J.: Computer Networks, 5th edn. Pearson, Boston (2010)
Cisco IOS Security Configuration Guide: Securing the data plane. Release 12.4, Cisco Systems (2014). http://www.cisco.com/c/en/us/td/docs
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Czubak, A., Szymanek, M. (2017). Algorithmic Complexity Vulnerability Analysis of a Stateful Firewall. In: Grzech, A., Świątek, J., Wilimowska, Z., Borzemski, L. (eds) Information Systems Architecture and Technology: Proceedings of 37th International Conference on Information Systems Architecture and Technology – ISAT 2016 – Part II. Advances in Intelligent Systems and Computing, vol 522. Springer, Cham. https://doi.org/10.1007/978-3-319-46586-9_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-46586-9_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46585-2
Online ISBN: 978-3-319-46586-9
eBook Packages: EngineeringEngineering (R0)