Adaptive Early Packet Filtering for Defending Firewalls Against DoS Attacks

A major threat to data networks is based on the fact that some traffic can be expensive to classify and filter as it will undergo a longer than average list of filtering rules before being rejected by the default deny rule. An attacker with some information about the Access-Control List (ACL) deployed at firewall or intrusion detection and prevention system (IDS/IPS) can craft packets that will have maximum cost. In this paper, the authors present a technique that is light weight, traffic-adaptive and can be deployed on top of any filtering mechanism to pre-filter unwanted expensive traffic.