B-tree based two-dimensional early packet rejection

technique against DoS traffic targeting firewall

default security rule
Nguyen Manh Hung

Vu Duy Nhat

Post-graduate Department
Military Technical Academy
Ha Noi, Viet Nam
manhhungk12@mta.edu.vn

Information Technology Security

MoD of Vietnam
Hanoi, Vietnam
nhatbest@gmail.com

Abstract Regarding to the current computer networks,

firewall is vital equipment for ensuring the security of entire
systems. With the role of controlling all connected to a network,
firewall is the only connection between network need to be
protected with outside networks. Improving the speed of
classifying and processing packets on firewall shall be highly
improved to avoid overload of the firewall in the particular case.
In order to implement this, the ideal has been used, based on the
characteristics of the filter or the characteristics of the data flow
through the firewall in order to minimize the manipulation of a
packet in the process of classification, which is the early packet
rejection. Some early packet rejection techniques in packet
firewall systems have been proposed, such as Field Value Set
Cover - FVSC, Self Adjusting Binary Search on Prefix Length SA-BSPL, Statistical Splaying Filters with Binary Search on
Prefix Length - SSF-BSPL. In this paper we carry out the
analysis of the main strengths and weakness of the above
techniques and propose new two-dimensional early packet
rejection technique based on the B-Tree. The proposed technique
is compared with other techniques experimentally.
Keywordsfirewall; packet classification;
rejection; security policies in firewall.

early

packet

I. INTRODUCTION
Today with the strong development of computer
networks, the proliferation of different types of network
services, the number of users is increasing, with advanced
technology; the transmission of data over the network is very
large. A firewall is a security device for computer networks
are located at the connection point between a network's
internal units (LAN) with large external network (WAN), its
function is controlling all accesses from outside to inside and
vice versa. With the location and function the firewall
becomes "bottlenecks" slowing down the process of
exchanging information between the LAN to the WAN, thus
improving the handling capacity of the firewall is an objective
requirement.

c
97814799-5430-8/14/$31.00 2014
IEEE

A. DoS attacks on the firewall system

The rules are built firewall to allow valid packets are
passing. The process of determining whether a packet is valid
or not been made by comparing the information in its header
with the defined rules. The decision for a packet is made when
it match with a specific rule. In the firewall, a special rule is
usually defined as a default rule (common is prohibited), this
rule applies only when the checking is done over all other rule
that cant find a suitable rule. A packet is rejected by the
default rule will require more computer resource costs,
processing time than other packets, with a large number of
rule, the cost of which is very significant. Based on these
characteristics, if the attacker has some information on the
firewall will be able to perform DoS attacks directly on
firewall by sending a large number of continuous packets
(which are supposed to be rejected by the default rule), then
the firewall must spend a lot of resources for handling these
packets and can be paralyzed activities. To against this attack,
some early packet rejection techniques for undesirable packets
on firewall devices are proposed.
The difference between the original firewall and
firewall with additional early packet rejection module is
shown in Figure 1 and Figure 2: Model 1 - the packets are
filter directly in original firewall rules (Figure 1), model 2
(Figure 2) - the packet is filtered early by module early packet
rejection before filter by the original firewall rules.

Fig. 1. Classification of packet in firewall

Fig. 2. Classification of packet in firewall with early rejected

module
B. Some early packet rejection techniques
1) Field Value Set Cover (FVSC)
This technique analyzes the set of firewall rules to
create a small rule practice that can remove up to undesirable
packets before transferring to the original rules [1]. The basic
idea of this technique is that if a packet does not match any of
the common values of all rules "accept" the packets that are
eligible to immediately reject without worry the rejected of the
wrong. This means the rule early packet rejection can be
created by combining the common values present in all policy
rules. For example, if all rules "accept" uses a destination IP
address or a port, all packets that do not contain the same
values can be eliminated without further examination. An
example of a early rejection rule can be in the form: RR = (DP
80) (SP 1500) (DIP 15.16.17.18) (P UDP).
This technique will be limited in the number of rules
generated and it depends on the percentage of packets being
rejected early compared to the total number of packet been
rejected. The number of early packet rejection rule
proportional to the number of rules in the firewall policies and
the dispersion of the values in each field of early packet
rejection rule. Especially, the using of approximation
algorithms to generate the early packet rejection rules, when
the firewall rule set changed, the ability to update this change
in early packet rejection rule set is not possible.
2) Self Adjusting Binary Search on prefix lengths (SABSPL)
This technique uses the properties of the Self
Adjusting Binary Search (SABS) to optimize the type of early
unwanted packets on the firewall. The model is given in [2]
consists of a set of self adjusting filters that each filter using
the binary search on prefix length [3] base on SABS tree
model used to improve search time mean value [4], [5], [7].
The idea of early packet rejection on this technique
is: if a packet does not match any prefix length in search of a
tree filter, it will be automatically rejected. Conversely, if you
find a node containing a list of n F1 rules, the inspection
process will be implemented with the next filter, if the filter
next stop node set includes m F2 then check F1 and F2 have
the same common rule, if there is not then the packet is
rejected immediately without further examination.
An improvement of this technique is combined with
consideration of the nature of the data to reduce the average
number of filters that each packet has to go through [6]. The
difference of technique [6] to [2] are: packet filtering process
has been carried out on all cases, however filters are arranged

in descending order staring from the field with the highest

rejection statistics. For example, according to the type of the
packet rate due to invalid source IP address, destination IP,
source port, destination port, respectively: 30%, 40%, 10%,
20%, the actual order current filtering will be done in this
order: destination IP, source IP, destination port, source port.
Drawback of this technique is that, when a large
number of sets of rules, the hash table and the number of
prefixes in each hash table would be large. Especially, the
intermediate prefixes in the hash table will make increase the
memory size and search speed for each packet arrives.
II. PROPOSED WORK
The early packet rejection is required to be based on
the information of some fields in header of packet. We find
out that the number of field to be checked on each packet will
be proportional to the classification of time, so if we reduce
the number of field to be checked on each packet we will
improve the speed of classification. This is our motivations to
propose a new technique.
Through research, the firewall rules are often defined
in terms of source and destination IP address as the address
ranges or as the prefixs. These types can be converted to
prefix form. With prefix form, we can combine the two
dimensions into one dimension to reduce the number
dimension using in the classification process. Therefore, in
this study we propose a early packet rejection technique based
on source IP address and destination IP address which
combining them with other into one dimension to achieve
better efficiency.
Our proposed technique is based on three points:
Combining the source IP address and destination IP
address of each rule to create a single field - COM.
Building early packet rejection rules based on the
COM field.
Using the B-Tree to reject early packets.
A. B-Tree
B-tree[8], [9], [10] is multi-branched balanced search
tree. It was designed to work well on both types of memory:
internal memory and external memory.
DEFINITION 1: B-Tree is multi-branched balanced search
tree and satisfying the following properties:
1. Every node x on the tree include fields:
nx: number of key available in node x, nx keys are
stored in ascending order so that: key0 <key1 <key2
<... <keynx-1.
leaf: a logic value so that leaf = TRUE if x is a leaf
node and leaf = FALSE otherwise.
2. Each node x contains nx+1 pointers c0, c1, c2,.., cnx pointer
to the root node of the tree of its children. Leaf nodes have no
children so its ci fields are NULL.
3. The ki separate the ranges of keys stored in each subtree: if
keyi is any key stored in the subtree with root ci, then: k0 <key0
<k1 <key1 <k2 <key2 <... <keynx-1 <knx.
4. All leaf nodes are at the same level h, h is the height of the
tree.

5. An integer t (t 2) is the degree of the B-tree then:

All nodes except the root node, there must be at least t1 keys. It is meaning that all nodes except the root
node and leaf nodes, there must be at least the t
subtree. If B-tree is not empty then root node must
have at least one key.

Every node can have at most 2t-1 keys. Thus, except

for the leaf node, any node can have at most 2t subtree.
We say that a node is full if it contains 2t-1 keys and a
node is minimal if it contains the right t-1 key.

B. Combined operation - COM

Combining the source IP address and destination IP
address in a single field (COM field) that we call the
combined operation COM. The early packet rejection is based
on the COM field.
Assuming the firewall rules include 2 fields: source IP
address and destination IP address. In particular, the source IP
and the destination IP are formed as prefixes and referred to as
the source prefix (sprefixIP) and the destination prefix
(dprefixIP). We create a prefix combines the com-prefixIP
from source prefix and destination prefix as follows:
Suppose the i-rule Ri has source prefix length is s bits,
destination prefix length is d bits with d>s (Figure 3). The
com-prefixIP of Ri includes s value which are created by
combination of prefix s bits of the source IP with prefix s bits
of the destination IP. The combining is done by the way j-th
bit of source prefix associated with the j-th bit of the
destination prefix to form the j-th value of the com-prefixIP (j
= 0 .. s-1) according to the rules in Table 1.
TABLE 1. The rule for creating the COM field
Case 1 Case 2 Case 3 Case 4
Source IP prefix
0
0
1
1
Destination IP prefix
0
1
0
1
COM field
0
1
2
3

Fig. 3. Illustrate creating COM field prefix

For example: If the rule Ri has source IP prefix be

01011*, destination IP prefix be 001011* then the COM field
prefix of Ri will be 02123*.
With construction on the COM field, each rule will have a
COM prefix and this COM prefix will determine a range value
in base-4 system. For example, the COM field length is 4, the
02* prefix would correspond to the range [(200)4, (233)4] and
is equivalent to approximately [32, 47] in base-10 system, the
prefix 312* will correspond to the range of values [(3120)4,
(3123)4]1 = [216, 219].

The (xyz)4 symbol is xyz value in base-4 system

THEOREM 1: If the packet Pkt has source IP address - SIP

match with the sprefixIP and destination IP address - DIP
match with dprefixIP of the rule Ri then the value of the COM
- comValue (COM generated from SIP and DIP of the packet
Pkt) will belong to the range value of the COM field of Ri.
Proof:
Suppose length of prefix - com-prefixIP of Ri is l, then
it is correspond to the range [(com-prefixIP0000)4, (comprefixIP333...3)4]. If V is the value in the base-10 system of
com-prefixIP then com-prefixIP will determine a range
,V 4
4
1] in base-10 system.
[V 4
The COM field is generated from the SIP and DIP of
Pkt. Because SIP and DIP suit the sprefixIP and dprefixIP of
the rule Ri, the first l symbols of COM coincides with the l
symbols of com-prefixIP.
ComValue in base-10 system is calculated as follows:
4
3 4
.. 3 1
Obviously: 0
3 4
0

3
4

4
[

4
4

,
4
4
4
theorem is proved).

1
1, inferred
1]. (the

THEOREM 2: If the packet Pkt with comValue is not

corresponding the range of the prefix com-prefixIP of the Ri
then Pkt with SIP may not satisfy the sprefixIP or DIP not
satisfied dprefixIP of Ri.
Proof:
Let l be the length of the com-prefixIP of Ri, V be the
value in the base-10 system of notation l of com-prefixIP.
,V 4
When comValue not belong to [ V 4
1], the occurrence of one of the two following cases:
4
(*) comValue< V 4
4
1.
(**) or comValue > V 4
In case (*), suppose sequence of the first l symbols of
the COM equal the com-prefixIP, then according to Theorem
comValue V 4
4
1, which
1, the V 4
are contrary to (*). Case (**) demonstrated similar.
So if comValue not belong to the range corresponding
to the com-prefixIP then sequence of com-prefixIP l denotes
will not coincide with the first l symbols of the COM. We
assume k (k l) is the position at which the first symbol in
COM and com-prefixIP different, according to the building
rules COM probable cases:
The k-th bit of SIP is different with the k-th bit of
sprefixIP.
The k-th bit of DIP is different with the k-th bit of
dprefixIP.
Or occur in both cases
Thus, Pkt with SIP is not satisfied sprefixIP or DIP is not
satisfied sprefixIP of Ri.
DEFINITION 2: Comparison between segments.
Suppose there are two separate segments or nested [a, b] and
segment [x, y]. Then:
[a, b] < [x, y] if b < x

[a, b] = [x, y] if a = x and y = b

[a, b] > [x, y] if a > y
[a, b] [x, y] if x a and y b
C. The early packet rejection rules
Obviously, on the basis of Theorem 1 and Theorem 2,
the COM domain values from 0 to (333333)4. COMi value
of i-th rule in the firewall would be a sub segment of [0,
(333333)4]. Packet Pkt will definitely be rejected if its
COMpkt does not belong to any COMi. Thus, the early packet
rejection rules will be segments that without any
communication with any COMi, and is determined by the
formula:
COM
COM

COM
COM
COM
COM
(1), with n is the total number of rules.
D. Construction the early packet rejection rules and early
packet rejection on B-tree
Our proposed early packet rejection technique based on
source IP address and destination IP address using B-Tree is
done with 3 major phases:
Phase 1: Construction B-Tree.
We build COM prefix of each rule. The COM prefix is
converted into segments and gradually inserted into the tree
corresponding to the key segment values are compared with
each other by definition 2.
Phase 2: Early packet rejection.
Do a search on the tree to early reject the packet.
Phase 3: Updated tree.
Insert, delete rules.
1. Phase 1: Construction B-Tree.
Step 1: Create a root node for B-Tree with key value is the
interval [0, MAX] (If the length of the source IP address, IP
destination is 32 bits, then MAX= 264 ...).
Step 2: Building COM prefix of corresponding rules and
converted into the segment [a, b].
Step 3: Insert the segment [a, b] into the tree.
Check segment [a, b] in the tree, assuming current node
Ni containing the interval [s, f], consider the following cases:
If s < a and f > b then split the interval [s, f] into two
segments [s-1, a] and [b, f +1]. Delete segment [s, f]
on B-tree, then insert two segments [s, a-1] and [b, f
+1] into B-tree.
Else If s a and f b then delete segment [s, f] from
B-tree.
Else If s < a and a < f < b then delete segment [s, f],
then insert the [s, a-1] into B-tree.
Else If f > b and b > s > a then delete segment [s, f],
then insert the [b +1, f] into B-tree.
Else If (s > b or a > f) and Ni is not leaf then go down
the corresponding branch on the B-tree.
Else insert segment [s, f] into Ni.
Step 4: Go to step 3 until all firewall rules is inserted into
B-Tree.
2. Phase 2: Early packet Rejection.
When a packet arrives, we shall calculate the COM from
the source IP address and destination IP address, the COM is

converted into a P value, and finally we do a search P on Btree.

If you find on the above B-tree contains the P, the packet is
rejected early.
3. Phase 3: Updated tree.
The change of firewall rule set consists of two major steps
that add new rules and delete exiting rules. In case of change
information of rule is considered as consisting of two
operations: the first delete old rule need to be updated, the
second add new rule with information has changed. The rule
will be added to follow the steps in the phase 2. Delete case
rule in firewall, so this is early packet rejection module so the
number of small deletions rules should not greatly affect
percentage of packets to be rejected early, they may not need
to update the tree.
III. INSTALLATION TESTING AND EVALUATION
The purpose of the experiment are checking the accuracy of
the proposed techniques eliminated early in the packet;
comparing the effectiveness of the proposed technique with
other techniques.
We have used the C++ language in programming for
testing our proposed early packet rejection technique on BTree [13] with different degrees.
To ensure close to real applications, programs using
artificial data generated by the ClassBench tool that was
created by David E. Taylor, Jonathan S. Turner of Applications
Research Laboratory, Faculty of Computer Science,
Washington University, Saint Louis [11]. The data sets include
sets of rules and sets of parameters in packet on the input data
are real data sets obtained from Internet service providers. This
is the public research community to evaluate the use of
algorithms and packet classification device.
A. Evaluate the accuracy of the technique in the early packet
rejection.
Testing was implemented on two models (Model 1 - Figure
1, Model 2 - Figure 2) with the data sets of rules and sets of
parameters.
In model 1, we build packet filter module with linear search
algorithm. The number of packets rejected in model 1 as a
result control model 2.
In the model 2, we apply our proposed technique to early
rejected module.
The result showed that every packet was early rejected by
our proposed technique in model 2 would be rejected by
original packet filter of firewall in model 1. The detailed results
are shown in Table 2 below:
TABLE 2. Experimental results to check the accuracy of the proposed
techniques
Number of rejected
Number of
Number
packets
Filter
incoming
of rules
Model 1
Model 2
packets
Firewall 12
1959
3600552
3052955
3052955
2

The name of filters in database of Classbench tool.

Firewall 2

3216

2895220

1995034

1995034

1800000

16,2200

9,4200

Firewall 3

882

3273840

3027159

3027159

Firewall 4

2000000

18,0500

10,4900

4449

3754690

2510232

2510232

Firewall 5

2200000

19,8100

11,5200

626

3280211

3105021

3105021

2400000

21,9000

12,8500

The results obtained show that the number of packets be

rejected in model 1 and model 2 is equally, this proves the
proposed technique for early packet rejection work correctly.

2600000

23,4800

13,6900

2800000

25,2500

14,6900

3000000

27,0500

15,7100

B. Experimental evaluation of proposed technique on B-Tree

with different degrees
We've run the test program on the configuration PC Intel
Dual Core 2.4 Ghz CPU, install the operating system Ubuntu
12.04 to evaluate our proposed technique.

3280211

29,5700

17,1200

The results in Table 3 show that the proposed technique

more effective technique FVSC.
Compare with FVSC technique

6.5
6.4
6.3
6.2

B-tree (degree=2)

6.1

B-tree (degree=3)

35

Classification time

Classification time(second)

Charts classification packets with changing

number of rules

30
25
20

FVSC
Our proposed technique on
B-tree (degree=3)

15
10
05
00

B-tree (degree=4)

5.9
Number of incoming packets
Fig. 5. Compare with FVSC technique

Number of rules

IV. CONCLUSION

Fig. 4. Variation of time according to the amount of number of rules

Figure 4 shows a comparison of two-dimensional packet

classification time of the proposed technique base on B-Tree
structure with different degrees on the 3754690-incomingpaket dataset and 500, 600, 700, , 1400rule data set.
C. Compare with FVSC technique
Comparison is made in the model 2 with two cases:
Case
1:
Early
packet
rejection
module
implementation FVSC technique.
Case
2:
Early
packet
rejection
module
implementation our technique
We make a comparison of two-dimensional packet
classification time between the proposed technique and FVSC
on the 626-rule dataset. The classification time is sum of
1000000, 1200000, 1400000, , 3280211 incoming-packet
classification time. The result is shown in Table 3 below:
TABLE 3. Comparison between the classification time FVSC with Own
technique
Number
of incoming packet

This paper presents the significance of the problem

rejected early packet in firewall and summary techniques early
packet rejections have been studied. On the basis of analysis
of advantages and disadvantages of these techniques, we
proposed early packet rejection technique in two-dimensional
source IP address and destination IP address by combining
them together into a combined COM filed, the construction
early rejection rule on the COM field and use B-tree structures
for early packet rejection. Presentation of detailed
implementation steps proposed technique, and the test subject
had installed assess the accuracy and efficiency when
deployed on B-tree with different degrees. The results of
comparison and evaluation show that our proposed techniques
by the ability to deploy on real-world high flexibility in the
choice of data structures and programs used in this technique
can be extended for early packet rejection based on multiple
dimensions.

Time to classification
FVSC

Own technique
(B-Tree degree 3)

1000000

9,1200

5,3400

1200000

10,8300

6,2900

1400000

12,6400

7,3300

1600000

14,4400

8,3900

REFERENCES
H. Hamed, A. El-Atawy, E. Al-Shaer. Adaptive Statistical
Optimization Techniques for Firewall Packet Filtering. In
Proceeding of IEEE INFOCOM, pp. 1-12, 2006.
[2] N. Neji, A. Bouhououla. Dynamic Scheme for Packet
Classification Using Splay trees. Information Assurance and
Security, pp. 1-9, 2009.
[1]

M. Waldvogel, G. Varghese, J. Turner, B. Plattner. Scalable

High Speed IP Routing Lookups. In Proceedings of the ACM
SIGCOMM (SIGCOMM 97), pp. 25-36, 1997.
[4] T. Srinivasan, M. Nivedita, V. Mahadevan. Efficient Packet
Classification Using Splay Tree Models. IJCSNS International
Journal of Computer Science and Network Security, 6(5), pp.
28-35, 2006
[5] D. Sleator, R. Tarjan. Self Adjusting Binary Search Trees.
Journal of the ACM, 32(3), pp. 652-686, 1985.
[6] Zouheir Trabelsi, Safaa Zeidan: Multilevel early packet filtering
technique based on traffic statistics and splay trees for firewall
performance improvement. ICC 2012: 1074-1078.
[3]

[7]

[8]
[9]
[10]
[11]

N. Neji, A. Bouhououla. Dynamic Scheme for Packet

Classification Using Splay trees, Information Assurance and
Security, pp. 1-9, 2009.
R. Bayer. Symmetric binary B-Tree: Data Structures and
maintenance algorithms, Acta Information, Volume 1, 1972.
G.M. Adelson-Velsky v E.M. Landis. An algorithm for the
organization of information, 1962.
Nguyn Mnh Hng. Cu trc d liu nng cao, NXB Qun i
Nhn dn, 2012.
http://www.arl.wustl.edu/classbench