Algorithmic Complexity Vulnerability Analysis of a Stateful Firewall

  • Adam Czubak
  • Marcin Szymanek
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 522)


Algorithmic complexity vulnerabilities are an opportunity for an adversary to conduct a sophisticated kind of attack i.e. on network infrastructure services. Such attacks take advantage of worst case time or space complexity of algorithms implemented on devices in their software. In this paper we address potential risks introduced by such algorithmic behavior in computer networks in particular on a stateful firewall. First we introduce the idea and theoretical background for the attack. We then describe in full detail a successfully conducted attack which takes advantage of the worst case computational complexity of O(n 2) of a hash table data structure used to store active sessions. The attack at hand is initiated from a network protected by an stateful firewall router feature to a remote server causing a DoS (Denial of Service) on an industry grade router. Our experimental results using a real life network topology show that by generating undetected low bandwidth but malicious network traffic causing collisions in the firewall’s hash table we cause the firewall to become unreachable or even announce a segmentation fault and reboot itself.


Computer networks Complexity attack DoS, Denial of service Security Network vulnerabilities Computational complexity 


  1. 1.
    Miao, R., Yu, M., Jain, N.: NIMBUS: cloud-scale attack detection and mitigation. In: Proceedings of the ACM Conference on SIGCOMM, pp. 121–122 (2014)Google Scholar
  2. 2.
    Stevanovic, D., Vlajic, N., An, A.: Unsupervised clustering of Web sessions to detect malicious and non-malicious website users. Procedia Comput. Sci. 5, 123–131 (2011)CrossRefGoogle Scholar
  3. 3.
    Suchacka, G., Sobków, M.: Detection of internet robots using a Bayesian approach. In: Proceedings of the 2nd IEEE International Conference on Cybernetics, Gdynia, Poland, pp. 365–370 (2015)Google Scholar
  4. 4.
    Tan, Z., Jamdagni, A., He, X., Nanda, P., Liu, R.P.: A system for denial-of-service attack detection based on multivariate correlation analysis. IEEE Trans. Parallel Distrib. Syst. 25(2), 447–456 (2014)CrossRefGoogle Scholar
  5. 5.
    Tao, Y., Yu, S.: DDoS attack detection at local area networks using information theoretical metrics. In: Proceedings of the 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, pp. 233–240 (2013)Google Scholar
  6. 6.
    Thomas, H.C., Charles, E.L., Ronald, L.R., Clifford, S.: Introduction to algorithms, 3rd edn. ISBN: 9780262033848Google Scholar
  7. 7.
    Crosby, S.A., Wallach, D.S.: Denial of service via algorithmic complexity attacks. In: Proceedings of the 12th USENIX Security Symposium, pp. 29–44. USENIX Association, Berkeley, CA USA (2003)Google Scholar
  8. 8.
    Bar-Yosef, N., Wool, A.: Remote algorithmic complexity attacks against randomized hash tables. In: Filipe, J., Obaidat, M.S. (eds.) E-business and telecommunications ICETE 2007. CCIS, vol. 23, pp. 162–174. Springer, Heidelberg (2007)Google Scholar
  9. 9.
    Klink, A., Walde, J.: Efficient denial of service attacks on web application platforms (2011).
  10. 10.
    Quynh, H.: Recommendation for applications using approved hash algorithms. NIST technical report SP 800-107. National Institute of Standards and Technology Gaithersburg, MD, US (2009)Google Scholar
  11. 11.
    US cybercrime: Rising risks, reduced readiness key findings from the 2014 US State of Cybercrime Survey, PricewaterhouseCoopers LLP (2014).
  12. 12.
    Sedgewick, R., Wayne, K.: Algorithms, 4th edn. Addison-Wesley Professional, Boston (2011)Google Scholar
  13. 13.
    Mehlhorn, K.: Data structures and algorithms 1: sorting and searching, vol. 1. Springer, Heidelberg (1984)CrossRefzbMATHGoogle Scholar
  14. 14.
    Babka, M.: Properties of universal hashing. Master thesis, Charles University in Prague Faculty of Mathematics and Physics (2010).
  15. 15.
    Plackett, R.L.: Karl Pearson and the chi-squared test. Int. Stat. Rev. (International Statistical Institute, ISI) 51(1), 59–72 (1983)Google Scholar
  16. 16.
    Tanenbaum, A.S., Wetherall, D.J.: Computer Networks, 5th edn. Pearson, Boston (2010)Google Scholar
  17. 17.
    Cisco IOS Security Configuration Guide: Securing the data plane. Release 12.4, Cisco Systems (2014).

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Institute of Mathematics and InformaticsOpole UniversityOpolePoland

Personalised recommendations