B-tree based two-dimensional early packet rejection technique against DoS traffic targeting firewall default security rule

Regarding to the current computer networks, firewall is vital equipment for ensuring the security of entire systems. With the role of controlling all connected to a network, firewall is the only connection between network need to be protected with outside networks. Improving the speed of classifying and processing packets on firewall shall be highly improved to avoid overload of the firewall in the particular case. In order to implement this, the ideal has been used, based on the characteristics of the filter or the characteristics of the data flow through the firewall in order to minimize the manipulation of a packet in the process of classification, which is the early packet rejection. Some early packet rejection techniques in packet firewall systems have been proposed, such as Field Value Set Cover -FVSC, Self Adjusting Binary Search on Prefix Length - SA-BSPL, Statistical Splaying Filters with Binary Search on Prefix Length - SSF-BSPL. In this paper we carry out the analysis of the main strengths and weakness of the above techniques and propose new two-dimensional early packet rejection technique based on the B-Tree. The proposed technique is compared with other techniques experimentally.