Reverse firewall dams DoS flood

In a bid to fight the growing menace from computer and router-based denial of service (DoS) attacks, security firm have developed a technique to dam the DoS data flood at source.

Using funding from the Defence Advanced Research Projects Agency (DARPA), security technology firm Cs3 is looking a the concept of reverse firewalling, or keeping the flood of data from a DoS attack dammed up at the source.

The Reverse Firewall works by filtering the outgoing packets from a network. The difference between a legitimate application that uses high bandwidth and a packet flooding attack is that, in the former case, the machine at the other end of the conversation is participating in a two-way conversation. In the case of a DoS attack, the exchange is one sided.

As research suggests that most distributed denial of service attacks (DdoS) attacks are carried out using zombie machines, high-bandwidth infrastructure is a favourite target. This puts enterprises, universities and ISPs at the top of a hacker's list.

"With near universal availability of permanent and faster connections to the internet, and the attendant decrease of network security expertise per individual computer, there is no scarcity of potential zombies," said Cs3.

But reverse firewalling effectively reduces the value of these machines in such an attack to the equivalent of a slow dial up connection, or even less. "What we call a Reverse Firewall is, therefore, simply one part of the functionality that could and should be provided by firewalls," said the company.

A firewall is in a position to distinguish these two cases, since all of the traffic between the local network and the outside passes through it.

The technology limits the rate at which the firewall forwards packets that are not replies to other packets that recently were forwarded in the other direction. Packets that are not replies, for instance to start a new conversation, simply need not be transmitted at a high rate.

And while the technology could help potential victims outside of an compromised network, the users of that network will still be suffering from loss of bandwidth gobbled up in the attack. However, reverse firewalls could be deployed internally, between network segments for example, to turn the potential flood into nothing more than a trickle.