Skip to main content
SpringerLink
Log in

Algorithmic Complexity Vulnerability Analysis of a Stateful Firewall

  • Conference paper
  • First Online:
Information Systems Architecture and Technology: Proceedings of 37th International Conference on Information Systems Architecture and Technology – ISAT 2016 – Part II

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 522))

Abstract

Algorithmic complexity vulnerabilities are an opportunity for an adversary to conduct a sophisticated kind of attack i.e. on network infrastructure services. Such attacks take advantage of worst case time or space complexity of algorithms implemented on devices in their software. In this paper we address potential risks introduced by such algorithmic behavior in computer networks in particular on a stateful firewall. First we introduce the idea and theoretical background for the attack. We then describe in full detail a successfully conducted attack which takes advantage of the worst case computational complexity of O(n 2) of a hash table data structure used to store active sessions. The attack at hand is initiated from a network protected by an stateful firewall router feature to a remote server causing a DoS (Denial of Service) on an industry grade router. Our experimental results using a real life network topology show that by generating undetected low bandwidth but malicious network traffic causing collisions in the firewall’s hash table we cause the firewall to become unreachable or even announce a segmentation fault and reboot itself.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    A dedicated router usually has a wider range of features regarding tampering with routing tables and routing process in general then a dedicated firewall. On the other hand a dedicated firewall has more features regarding security then a router.

  2. 2.

    During the creation of the lab a host with Microsoft Windows operating system was first considered as well. It turned out, that originating more than 2000 connections from the Windows host using the ftp console command is problematic and makes the system unstable. So in attempt to tackle the problem a dedicated program for the FTP client was written in MS Visual Studio. The embedded optimization methods for managing connections in .NET Framework made the program to reuse exiting connections instead of creating new ones. Shortly after this all attempts to use Microsoft Windows as an attack platform were discontinued.

  3. 3.

    The Cisco 2621XM Multiservice Router was in production till 2007 and its support was discontinued as of 2013. This device was chosen deliberately, because it was never the intension of authors to show product vulnerabilities of any particular vendor. We realize that similar mechanisms are applied by other manufacturers as well. Taking a no longer offered and supported device seamed the right choice to show that the issue is of importance, while, at the same time, not causing any damage whatsoever to the manufacturers reputation.

References

  1. Miao, R., Yu, M., Jain, N.: NIMBUS: cloud-scale attack detection and mitigation. In: Proceedings of the ACM Conference on SIGCOMM, pp. 121–122 (2014)

    Google Scholar 

  2. Stevanovic, D., Vlajic, N., An, A.: Unsupervised clustering of Web sessions to detect malicious and non-malicious website users. Procedia Comput. Sci. 5, 123–131 (2011)

    Article  Google Scholar 

  3. Suchacka, G., Sobków, M.: Detection of internet robots using a Bayesian approach. In: Proceedings of the 2nd IEEE International Conference on Cybernetics, Gdynia, Poland, pp. 365–370 (2015)

    Google Scholar 

  4. Tan, Z., Jamdagni, A., He, X., Nanda, P., Liu, R.P.: A system for denial-of-service attack detection based on multivariate correlation analysis. IEEE Trans. Parallel Distrib. Syst. 25(2), 447–456 (2014)

    Article  Google Scholar 

  5. Tao, Y., Yu, S.: DDoS attack detection at local area networks using information theoretical metrics. In: Proceedings of the 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, pp. 233–240 (2013)

    Google Scholar 

  6. Thomas, H.C., Charles, E.L., Ronald, L.R., Clifford, S.: Introduction to algorithms, 3rd edn. ISBN: 9780262033848

    Google Scholar 

  7. Crosby, S.A., Wallach, D.S.: Denial of service via algorithmic complexity attacks. In: Proceedings of the 12th USENIX Security Symposium, pp. 29–44. USENIX Association, Berkeley, CA USA (2003)

    Google Scholar 

  8. Bar-Yosef, N., Wool, A.: Remote algorithmic complexity attacks against randomized hash tables. In: Filipe, J., Obaidat, M.S. (eds.) E-business and telecommunications ICETE 2007. CCIS, vol. 23, pp. 162–174. Springer, Heidelberg (2007)

    Google Scholar 

  9. Klink, A., Walde, J.: Efficient denial of service attacks on web application platforms (2011). https://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html

  10. Quynh, H.: Recommendation for applications using approved hash algorithms. NIST technical report SP 800-107. National Institute of Standards and Technology Gaithersburg, MD, US (2009)

    Google Scholar 

  11. US cybercrime: Rising risks, reduced readiness key findings from the 2014 US State of Cybercrime Survey, PricewaterhouseCoopers LLP (2014). http://www.pwc.com/cybersecurity

  12. Sedgewick, R., Wayne, K.: Algorithms, 4th edn. Addison-Wesley Professional, Boston (2011)

    Google Scholar 

  13. Mehlhorn, K.: Data structures and algorithms 1: sorting and searching, vol. 1. Springer, Heidelberg (1984)

    Book  MATH  Google Scholar 

  14. Babka, M.: Properties of universal hashing. Master thesis, Charles University in Prague Faculty of Mathematics and Physics (2010). http://ktiml.mff.cuni.cz/~babka/hashing/thesis.pdf

  15. Plackett, R.L.: Karl Pearson and the chi-squared test. Int. Stat. Rev. (International Statistical Institute, ISI) 51(1), 59–72 (1983)

    Google Scholar 

  16. Tanenbaum, A.S., Wetherall, D.J.: Computer Networks, 5th edn. Pearson, Boston (2010)

    Google Scholar 

  17. Cisco IOS Security Configuration Guide: Securing the data plane. Release 12.4, Cisco Systems (2014). http://www.cisco.com/c/en/us/td/docs

Download references

Author information

Authors and Affiliations

  1. Institute of Mathematics and Informatics, Opole University, ul. Oleska 48, 45-052, Opole, Poland

    Adam Czubak & Marcin Szymanek

Authors
  1. Adam Czubak
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Marcin Szymanek
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Adam Czubak .

Editor information

Editors and Affiliations

  1. Department of Computer Science, Faculty of Computer Science and Management, Wrocław University of Technology Department of Computer Science, Wrocław, Poland

    Adam Grzech

  2. Department of Computer Science, Faculty of Computer Science and Management, Wrocław University of Technology Department of Computer Science, Wrocław, Poland

    Jerzy Świątek

  3. Department of Management Systems, Faculty of Computer Science and Management, Wrocław University of Technology, Wrocła Department of Management Systems, Wrocław, Poland

    Zofia Wilimowska

  4. Department of IT and Management, Faculty of Computer Science and Management, Wrocław University of Technology Department of IT and Management, Wrocław, Poland

    Leszek Borzemski

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Czubak, A., Szymanek, M. (2017). Algorithmic Complexity Vulnerability Analysis of a Stateful Firewall. In: Grzech, A., Świątek, J., Wilimowska, Z., Borzemski, L. (eds) Information Systems Architecture and Technology: Proceedings of 37th International Conference on Information Systems Architecture and Technology – ISAT 2016 – Part II. Advances in Intelligent Systems and Computing, vol 522. Springer, Cham. https://doi.org/10.1007/978-3-319-46586-9_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-46586-9_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-46585-2

  • Online ISBN: 978-3-319-46586-9

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation