Securely managing network element state information in transport-layer associations

摘要

Rules in NAT and firewall devices are updated only when a packet flow is verified as genuine through transport-layer message acknowledgment sequences. When a device receives a packet indicating initiation of a new association, the device stores an internal source tag, an internal destination tag, an external source tag, and an external destination tag. Only after receiving a completion acknowledgment message from the destination node, the device sets the internal source tag equal to the external source tag, and sets the internal destination tag equal to the external destination tag. The rules are then updated based on the internal tags. As a result, the approach thwarts denial of service (DOS) attacks that seek to modify rules of NAT and firewall devices to permit harmful traffic.