Abstract
The firewall is often seen as the first line of defence in ensuring network security of an organization. However, with the rapid expansion of network, the species and numbers of network attacks continue to increase. And network traffic is also growing markedly. Traditional network can no longer meet the requirements of preventing attacks in high-speed network. Therefore, in order to improve the performance, this paper proposes a new packet filtering method. It is CTFPi, the combination of traditional firewall and Pi (Path identifier) for Packet Filtering. The principle of this scheme is to map the source IP addresses and destination IP addresses to Pi and then use Pi to replace them. Experiments show that our method not only can adapt to the high-speed network requirements, but also be better to prevent attacks, especially with forged packets.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
(2010) CERT. http://www.cert.org/stats/
(2009) Arbor networks worldwide infrastructure security report http://www. Arbornetworks. co-m/en/research.html
Distributed Denial of Service (DDoS), Attacks/tools http://staff.washington.edu/dittrich/misc/ddos/
Arshad M, Nessa S, Khan L, Al-Shaer E et al (2010) Analysis of firewall policy rules using traffic mining techniques. Protoc Technol IJIPT 5:3–22
Hamed H, Al-Shaer E (2006) On autonomic optimization of firewall policy configuration. J High Speed Netw Spec Issue Secur Policy Manag 13:209–227
Mckeown N (2001) Algorithms for packet classification. IEEE Network 15:24–32
Waldvogel M, Varghese G, Turner J (2001) Scalable high speed prefix matching. Int ACM Trans Comput Syst 19:440–482
Kim K, Shni S (2003) IP lookup by binary search on length. In: IEEE international symposium on computer and communication
Lu H, Sahni S (2007) O(logW) multidimensional packet classification. IEEE/ACM Trans Networking 15:462–472
Srinivasan V, Varghese G, Suri S (1998) Fast and scalable layer for switching. In: Proceedings of ACM SIGCOMM
Yaar A, Perrig A, Song D (2003) Pi: a path identification mechanism to defend against DDoS attacks. In: Proceedings of IEEE symposium on security and privacy, pp 93–97
Yaar A, Perrig A, Song D (2006) StackPi: new packet marking and filtering mechanisms for DDoS and IP spoofing defense. IEEE J Sel Areas Commun 24:1853–1863
Guang J, Jianggang Y, Yuan L et al (2008) Optimal path identification to defend against DDoS attacks. J Commun 29(9):46–53 (in Chinese with English abstract)
Acknowledgments
This research was supported in part by Major Projects of National Science and Technology (2011ZX03002-004-02), Zhejiang Provincial Technology Innovation Team (2010R50009), Natural Science Foundation of Zhejiang Province (LY12F02013), Ningbo Natural Science Foundation (2012A610014), Ningbo Municipal Technology Innovation Team (2011B81002), The Graduate Teaching Innovation on Ningbo University (2011004).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ni, C., Jin, G. (2013). CTFPi: A New Method for Packet Filtering of Firewall. In: Lu, W., Cai, G., Liu, W., Xing, W. (eds) Proceedings of the 2012 International Conference on Information Technology and Software Engineering. Lecture Notes in Electrical Engineering, vol 210. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34528-9_48
Download citation
DOI: https://doi.org/10.1007/978-3-642-34528-9_48
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34527-2
Online ISBN: 978-3-642-34528-9
eBook Packages: EngineeringEngineering (R0)