Denial of Firewalling

Firewalls are critical security devices handling all traffic in and out of a network. When under heavy load of both malicious and legitimate traffic, firewalls may be overloaded and start discarding or permitting packets without checking firewall rules, which can cause huge revenue losses or security breaches. In this paper, we study Denial of Firewalling attacks, where attackers use well-crafted traffic to effectively overwhelm a firewall. We first investigate firewall implementation characteristics that can be exploited for such attacks while treating the firewall as a black box. We conducted our studies on a testbed with three popular firewall devices. Second, given a remote firewall, we propose methods for attackers to infer the implementation of the firewall. We develop firewall fingerprinting techniques based on firewall decisions on a sequence of TCP packets with unusual flags and machine learning techniques for inferring firewall implementation. Finally, we present methods that attackers can use to generate the traffic that can effectively overload an identified remote firewall. We show that some firewalls can be easily overloaded by a small volume of carefully crafted traffic.