Browse > Article

Minimizing Security Hole and Improving Performance in Stateful Inspection for TCP Connections  

Kim, Hyo-Gon (고려대학교 컴퓨터학과)
Kang, In-Hye (서울시립대학교 기계정보공학과)
Publication Information
Journal of KIISE:Information Networking / v.32, no.4, 2005 , pp. 443-451 More about this Journal
Abstract
Stateful inspection devices must maintain flow information. These devices create the flow information also for network attack packets, and it can fatally inflate the dynamic memory allocation on stateful inspection devices under network attacks. The memory inflation leads to memory overflow and subsequent performance degradation. In this paper, we present a guideline to set the flow entry timeout for a stateful inspection device to remove harmful embryonic entries created by network attacks. Considering Transmission Control Protocol (TCP) if utilized by most of these attacks as well as legitimate traffic, we propose a parsimonious memory management guideline based on the design of the TCP and the analysis of real-life Internet traces. In particular, we demonstrate that for all practical purposes one should not reserve memory for an embryonic TCP connection with more than (R+T) seconds of inactivity where R=0, 3, 9 and $1\leqq{T}\leqq{2}$ depending on the load level.
Keywords
packet inspection; session table management; TCP retransmission timeout calculation; timeout;
Citations & Related Records
연도 인용수 순위
  • Reference
1 P. Gupta and N. McKewon, 'Packet classification on multiple fields,' Proceedings of ACM Sigcomm, 1999
2 K. Claffy, G. Polyzos, and H.-W. Braun, 'A parametrizable methodology for Internet traffic flow monitoring,' IEEE JSAC 8(13), Oct. 1995, pp.1481-1494
3 H.- W. Braun, K. Claffy, and G. Polyzos, 'A framework for flow-based accouting on the Internet,' Proceedings of IEEE Singapore International Conference on Information Engineering, 1993. pp. 847-851   DOI
4 V. Srinivasan, G. Varghese, S. Suri, M. Waldvogel, 'Fast Scalable Algorithms for Level Four Switching,' Proceedings of ACM Sigcomm, 1998
5 Stateful-inspection firewalls: The Netscreen way, white paper, http://www.netscreen.com/products/firewall_wpaper.html
6 G. Iannaconne, C. Diot, I. Graham, N. McKeown, 'Dealing with high speed links and other measurement challenges,' Proceedings of ACM Sigcomm Internet Measurement Workshop, 2001
7 IANA, 'Internet protocol V4 address space,' http://www.iana.org/assignments/ipv4-address-space
8 M. de Vivo, E. Carrasco, G. Isern, and G. de Vivo, 'A review of port scanning techniques,' ACM Computer Communication Review, 29(2), April 1999   DOI
9 NLANR, 'NLANR network traffic packet header traces,' http://pma.nlanr.net/Traces/
10 K. Houle and G. Weaver, 'Trends in denial of service attack technology,' a CERT paper, http://www.cert.org/archive/pdf/DoS_trends.pdf, Oct. 2001
11 P. Vixie (ISC), G. Sneeringer (UMD), and M. Schleifer (Cogent). Events of 21-Oct-2002. November 24, 2002
12 D. Moore et al., 'The spread of Sapphire worm,' techreport, http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html, Feb. 2003
13 F.Baboescu and G.Varghese, 'Scalable packet classification,' Proceedings of ACM Sigcomm, 2001
14 S. Singh, F. Baboescu, G. Varghese and J. Wang, 'Packet Classification Using Multidimensional Cuts,' Proceedings of ACM Sigcomm 2003
15 Gill, 'Maximizing firewall availabilty,' http://www.qorbit.net/documents/maximizing-firewall-availability.htm
16 H. Kim, 'Dynamic memory management for packet inspection computers,' techreport, http://ubiquitous.korea.ac.kr/lifetime.html
17 IP Monitoring Project at Sprint, http://ipmon.sprint.com/ipmon.php
18 R. Stevens, TCP/IP Illustrated Vol. 1, Addison-Wesley, 1994
19 V. Paxson and M. Allman, Computing TCP's retansmission timer, RFC 2988, Nov. 2000
20 L. G. Roberts, 'Beyond Moore's Law: Internet Growth Trends,' IEEE Computer, 33 (1), Jan. 2000, Page(s): 117 -11   DOI   ScienceOn