CTFPi: A New Method for Packet Filtering of Firewall

  • Cuixia Ni
  • Guang Jin
Conference paper
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 210)


The firewall is often seen as the first line of defence in ensuring network security of an organization. However, with the rapid expansion of network, the species and numbers of network attacks continue to increase. And network traffic is also growing markedly. Traditional network can no longer meet the requirements of preventing attacks in high-speed network. Therefore, in order to improve the performance, this paper proposes a new packet filtering method. It is CTFPi, the combination of traditional firewall and Pi (Path identifier) for Packet Filtering. The principle of this scheme is to map the source IP addresses and destination IP addresses to Pi and then use Pi to replace them. Experiments show that our method not only can adapt to the high-speed network requirements, but also be better to prevent attacks, especially with forged packets.


Firewall Pi Rule optimization Packet filtering 



This research was supported in part by Major Projects of National Science and Technology (2011ZX03002-004-02), Zhejiang Provincial Technology Innovation Team (2010R50009), Natural Science Foundation of Zhejiang Province (LY12F02013), Ningbo Natural Science Foundation (2012A610014), Ningbo Municipal Technology Innovation Team (2011B81002), The Graduate Teaching Innovation on Ningbo University (2011004).


  1. 1.
  2. 2.
    (2009) Arbor networks worldwide infrastructure security report http://www. Arbornetworks. co-m/en/research.html
  3. 3.
    Distributed Denial of Service (DDoS), Attacks/tools
  4. 4.
    Arshad M, Nessa S, Khan L, Al-Shaer E et al (2010) Analysis of firewall policy rules using traffic mining techniques. Protoc Technol IJIPT 5:3–22Google Scholar
  5. 5.
    Hamed H, Al-Shaer E (2006) On autonomic optimization of firewall policy configuration. J High Speed Netw Spec Issue Secur Policy Manag 13:209–227Google Scholar
  6. 6.
    Mckeown N (2001) Algorithms for packet classification. IEEE Network 15:24–32Google Scholar
  7. 7.
    Waldvogel M, Varghese G, Turner J (2001) Scalable high speed prefix matching. Int ACM Trans Comput Syst 19:440–482CrossRefGoogle Scholar
  8. 8.
    Kim K, Shni S (2003) IP lookup by binary search on length. In: IEEE international symposium on computer and communicationGoogle Scholar
  9. 9.
    Lu H, Sahni S (2007) O(logW) multidimensional packet classification. IEEE/ACM Trans Networking 15:462–472CrossRefGoogle Scholar
  10. 10.
    Srinivasan V, Varghese G, Suri S (1998) Fast and scalable layer for switching. In: Proceedings of ACM SIGCOMMGoogle Scholar
  11. 11.
    Yaar A, Perrig A, Song D (2003) Pi: a path identification mechanism to defend against DDoS attacks. In: Proceedings of IEEE symposium on security and privacy, pp 93–97Google Scholar
  12. 12.
    Yaar A, Perrig A, Song D (2006) StackPi: new packet marking and filtering mechanisms for DDoS and IP spoofing defense. IEEE J Sel Areas Commun 24:1853–1863CrossRefGoogle Scholar
  13. 13.
    Guang J, Jianggang Y, Yuan L et al (2008) Optimal path identification to defend against DDoS attacks. J Commun 29(9):46–53 (in Chinese with English abstract)Google Scholar
  14. 14.

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  1. 1.Faculty of Information Science and EngineeringNingbo UniversityNingboChina

Personalised recommendations