Experimental Evaluation of Juniper Network's Netscreen-5GT Security Device against Layer4 Flood Attacks

doi:10.4236/jis.2011.21005

Paper Menu >>

Journal Menu >>

Journal of Information Security, 2011, 2, 50-58

doi:10.4236/jis.2011.21005 Published Online January 2011 (http://www.SciRP.org/journal/jis)

Experimental Evaluation of Juniper Network’s

Netscreen-5GT Security Device against Layer4 Flood

Attacks

Sanjeev Kumar, Raja Sekhar Reddy Gade

Network Security Research Lab, Department of Electrical and Computer Engineering,

The University of Texas–Pan American, Edinburg, USA

E-mail: sjk@utpa.edu

Received September 29, 2010; revised December 11, 2010; accepted January 15, 2011

Abstract

Cyber attacks are continuing to hamper working of Internet services despite increased use of network secu-

rity systems such as firewalls and Intrusion protection systems (IPS). Recent Distributed Denial of Service

(DDoS) attacks on Dec 8th, 2010 by Wikileak supporters on Visa and Master Card websites made headlines

on prime news channels all over the world. Another famous DDoS attacks on Independence Day weekend,

on July 4th, 2009 were launched to debilitate the US and South Korean governments’ websites. These attacks

raised questions about the capabilities of the security systems that were used in the network to counteract

such attacks. Firewall and IPS security systems are commonly used today as a front line defense mechanism

to defend against DDoS attacks. In many deployments, performances of these security devices are seldom

evaluated for their effectiveness. Different security devices perform differently in stopping DDoS attacks. In

this paper, we intend to drive the point that it is important to evaluate the capability of Firewall or IPS secu-

rity devices before they are deployed to protect a network or a server against DDoS attacks. In this paper, we

evaluate the effectiveness of a security device called Netscreen 5GT (or NS-5GT) from Juniper Networks

under Layer-4 flood attacks at different attack loads. This security device NS-5GT comes with a feature

called TCP-SYN proxy protection to protect against TCP-SYN based DDoS attacks, and UDP protection

feature to protect against UDP flood attacks. By looking at these security features from the equipments data

sheet, one might assume the device to protect the network against such DDoS attacks. In this paper, we con-

ducted real experiments to measure the performance of this security device NS-5GT under the TCP SYN and

UDP flood attacks and test the performance of these protection features. It was found that the Juniper’s

NS-5GT mitigated the effect of DDoS traffic to some extent especially when the attack of lower intensity.

However, the device was unable to provide any protection against Layer4 flood attacks when the load ex-

ceeded 40Mbps. In order to guarantee a measured level of security, it is important for the network managers

to measure the actual capabilities of a security device, using real attack traffic, before they are deployed to

protect a critical information infrastructure.

Keywords: Distributed Denial of Service (DDoS), TCP-SYN Flood Attack, TCP-SYN Proxy Protection,

Firewall Security, UDP Flood Attack

1. Introduction

Internet is the foremost leading media for multimedia

information exchange today. However, the ease of Inter-

net communication comes with the threat of security

attacks, which are known to disrupt such communica-

tions over Internet. As recently as Dec. 8th, 2010, the

servers of Visa, MasterCard, PayPal and several others

were brought down by the supporters of WikiLeaks us-

ing DDoS attacks [1]. On August 6th 2009, servers like

Twitter, Facebook, Live journal, Google’s Blogger and

Youtube were under DDoS attacks, where Twitter was

down for several hours [2]. According to CSI Computer

and Security Survey 2008, Firewall type of security tech-

S. KUMAR ET AL.

nology was used by 94% of the organizations [3]. Many

manufacturers are designing firewalls and advanced se-

curity devices to provide increased protection for their

customers from different types of attacks. Despite wide-

spread use of firewalls to protect corporate and govern-

ment websites, the damage caused by the denial of ser-

vice attacks do not seem to have gone away completely.

The DDoS attacks, launched during Wikileaks related

events starting Dec. 8th, 2010, and the Independence Day

DDoS attacks on July 4th, 2009 launched against US and

South Korean government websites [4], are now

prompting many network managers to question the per-

formance of their firewalls, IPS or other Internet security

devices being used in defending against such DDoS at-

tacks [5-13]. In this paper, we evaluate performance of

Juniper Network’s NetScreen NS-5GT Internet security

device [14,15] to measure its effectiveness in defending

against two popular layer-4 DDoS attacks, namely the

TCP-SYN and UDP flood attacks. The rest of the paper

is organized as follows: Section 2 has a discussion on the

TCP and UDP flood attacks that are evaluated in this

paper, and the protection mechanisms offered by the Ju-

niper Network’s NS-5GT security device to protect

against these two DDoS attacks. Section 3 provides de-

tail of experimental setup, different scenarios of protec-

tion used in the experiments, and discussion on respec-

tive results. Section 4 concludes the paper.

2. Juniper’s Netscreen NS-5gt Internet

Security Device

The Juniper’s NetScreen 5GT (NS-5GT) is an Internet

Security device that combines functionalities of firewall,

Intrusion Prevention System (IPS), VPN and traffic

shaping functions [14,15]. NS-5GT device is an enter-

prise class security solution designed to defend against

various security attacks including layer-4 DDoS attacks

such as TCP-SYN flood or UDP-flood attacks.

2.1. TCP-SYN Flood Attack

In this type of DDoS attack, the attacker sends a flood of

TCP-SYN packets with spoofed addresses. The server

responds with corresponding SYN-ACK packets which

are never answered with the final ACK packets.

This results in establishment of numerous half open

connections at the victim computer (Figure 1), which

causes excessive consumption of computing resources of

the victim computer. This type of DDoS attack is called

TCP-SYN flood attack. During this attack, legitimate

client connections are dropped as a result of lack of

computing resource at the victim computer.

Figure 1. TCP SYN flood attack.

2.2. Protection Provided by NetScreen NS-5GT

against TCP-SYN Based DDoS Attacks

The security device NS-5GT from Juniper Networks

provides protection against TCP-SYN based DDoS at-

tacks by using a mechanism called SYN Proxy protec-

tion method [14,15]. According to this mechanism, the

NS-5GT Internet security device is placed between the

server (that needs to be protected) and the Internet. In

this position, the NS-5GT does the proxy on behalf of the

server and participates in the initial TCP 3-Way Hand-

shake process (Figure 2) to authenticate genuine client

connections to the server.

According to this protection mechanism, first a SYN

attack threshold is set in the NS-5GT, which is an upper

limit on the number of SYN segments permitted throu gh

the device per second. If this threshold is exceeded, then

the NS-5GT starts to proxy on behalf of the server and

directly participates in 3-way handsh ake with the clients,

to establish a legitimate connection . The NS-5GT replies

with SYN_ACK to the initial SYN segments arriving

from the clients, and hence opening up a number of half

open connections. In the case of genuine client connec-

tions, the final ACK segment is sent from the client, and

upon receiving it the security device NS-5GT forwards it

to the server for establishment of a secure TCP connec-

tion. If the final ACK segment doesn’t arrive then the

half open connection at the intermediate NS-5GT device

is terminated or timed out.

2.3. UDP Flood Attack

UDP is another common Layer-4 traffic on internet.

S. KUMAR ET AL.

Figure 2. SYN Proxy protection [15].

However unlike TCP traffic, the Web-servers do not re-

ceive a lot of UDP traffic. During UDP flood attacks, a

flood of UDP packets are sent to the victim computers

either on specified ports or on random ports. The victim

computer or server processing those UDP packets replies

with valid information, if there is an applicatio n available

on the specified port, otherwise the victim computer

sends “ICMP Destination Unreachable” message to the

spoofed sender. UDP flood attacks can also consume

computing resources on the victim system besides the

bandwidth. The Juniper’s NetScreen NS-5GT security

device also has a protection feature that claims to protect

against UDP flood attacks. In this paper, we measure the

capability of the NS-5GT to defend against UDP flood

attacks.

2.4. Protection Provided by NetScreen NS-5GT

against UDP-Flood Based DDoS Attacks

The NetScreen 5GT provides protection against UDP

flood attacks by monitoring the rate of incoming UDP

datagrams to the NS-5GT. The security device NS-5GT

passes the UDP datagrams only if a policy permits them.

For example, as shown in Figure 3, the UDP packet can

be targeted to a DNS server.

In the case of attack, the attacker sends a flood of UDP

datagrams to a DNS server, which rides IP packets with

spoofed source addresses. The security device protects

against this type of UDP flood attack by imp osing a limit

on the maximum rate i.e. the maximum number of UDP

datagrams that can be allowed to pass through the secu-

rity device per second. After the threshold is crossed, the

security device NS-5GT starts dropping all UDP data-

grams from all source addresses and destined to the same

subnet for the remaining second and also for the next

successive second. During this time period when the

threshold is enabled, the UDP packets from the legiti-

mate clients are also dropped. Thus the dropping of all

UDP datagrams stays in effect, as long the threshold

limit stays violated by the flood of incoming UDP pack-

ets.

3. Experimental Setup and Measurements

For experiments, an evaluation network was set up in a

controlled lab environment as shown in Figure 4, where

we launched a TCP-SYN attack and UDP flood attack to

measure the performance of Juniper’s Netscreen 5GT

Security Device. The number of client connections es-

tablished per second to the server was used as the per-

formance parameter in these experiments. In these ex-

periments, we measured the number of client connec-

tions per second against different loads of attack traffic.

To compare the effectiveness of the security device, the

performance was evaluated with and without respective

protections being enabled on the NS-5GT security device

to stop the flood attacks from reaching the server. For

this experiment, along with the Juniper Networks NS-5GT

security device, the Windows Server 2003 with Intel®

XeonTM 3GHz Processor a n d 4 GB R AM w ere used.

S. KUMAR ET AL.

Figure 3. UDP flood protection method used by NS-5GT [15].

Figure 4. Experimental setup to evaluate the effectiveness of Juniper’s NT-5GT security device.

The set up in Figure 4 shows the legitimate HTTP cli-

ents that connect to the server through the security device

NS-5GT. Furthermore, the attacker’s network is used to

simulate the Distributed Denial of Attack (DDoS) attack

with the attack traffic being sent with spoofed addresses.

Since the Juniper’s NS-5GT security device system sup-

ported an interface of 100Mbps for internet traffic, the

security device was subjected to a range of layer-4 attack

traffic load up to 100Mbps.

Prior to starting the experiments, we first measure the

baseline performance of the security device NS-5GT in

supporting the maximum number of stable client connec-

tions per second in the absence of any attack traffic. In the

absence of any attack traffic, the maximum number of

stable client connection rate established with the server

through the NS-5GT security device was measured to be

600 connections per second (baseline performance of the

NS-5GT security device).

3.1. TCP SYN Attack on Server without

Protection Enabled on Juniper’s NS-5GT

Security Device

In this case, the security device NS-5GT was setup with

no proxy protection enabled against TCP-SYN attacks. A

stable connection rate of 600 legitimate client connec-

tions per second was established with the server during

the experiment. The TCP-SYN attack, with the attack

54 S. KUMAR ET AL.

load varying from 10 Mbps to 100Mbps was launched on

the server with no SYN proxy protection enabled at the

NS-5GT security device. We measured the number of

connections per second formed with the end server

through the NS-5GT under different loads of TCP-SYN

flood attack (Figure 5).

Based on the experimental measurements, it was found

that the number of legitimate client connection rate was

brought down to around 176 connections/sec from the

baseline rate of 600 connections/sec under the TCP-SYN

attack load of only 15 Mbps. Furthermore, the number of

legitimate client connections was brought down to zero

when the attack load was increased to 20 Mbps. The

number of client connection rate established with the

server through the NS-5GT security device (used as a

gateway) at different attack loads is shown in Figure 5.

3.2. TCP-SYN Attack on Server with SYN-Proxy

Protection Enabled on Juniper’s NS-5GT

Security Device

In this case, the SYN Proxy protection was enabled on

the NS-5GT, with default threshold value on the number

of TCP SYN permitted through the security device. De-

spite enabling of the SYN proxy protection, we found

that the client connections rate dropped to zero at 45

Mbps of SYN flood attack traffic load as shown in Fig-

ure 6.

Based on the measurements done for the client con-

nection rate that can be su pported with and without TCP

proxy protection enabled at the Juniper’s NS-5GT secu-

rity device, such comparison is shown in Figure 7. The

green bar on the left in Figure 7 shows the number of

successful client connections formed per second without

SYN proxy protection enabled at the NS-5GT, whereas

the blue bar on the right in Figure 7 shows the number

of successful client connections formed per second with

SYN proxy protection enabled at the Juniper’s NS-5GT

security device.

On one hand, it can be seen that without SYN-proxy

protection being enabled at the NS-5GT security device,

the legitimate client connection rate fell sharply to zero

around 20 Mbps of TCP-SYN attack traffi c. On the other

hand, it can be seen that when the SYN-proxy pro tection

Figure 5. Client connection rate under different TCP-SYN attack loads with no protection enabled on NS-5GT.

Figure 6. Client connection rate under different TCP-SYN attack loads with SYN-proxy protection enabled on NS- 5GT.

S. KUMAR ET AL.

Figure 7. Connections per second compared with and without SYN Proxy protection enabled on the Juniper’s NS-5GT secu-

rity device.

was enabled at the Juniper’s NS-5GT security device, it

took 45 Mpbs of TCP-SYN attack traffic to completely

deny legitimate client connections through the Juniper’s

Netscreen 5GT security device.

Comparative study and results (Figure 7) show that the

security effectiveness provided by the Juniper’s NS-5GT

security device is very marginal in improving the client

connection rate, and almost ineffective in protecting

against TCP-SYN attacks of higher intensity exceeding

45 Mbps. It is obvious that the security device NS-5GT

from Juniper Networks is not capable enough to protect

against high intensity TCP-SYN attacks despite offering

protection features against such attacks.

3.3. UDP Flood Attack on Server without

UDP-Flood Protection Enabled on Juniper’s

NS-5GT Security Device

In this case, we study the effectiveness of the Juniper’s

security device NS-5GT in protecting against UDP flood

attack. For comparison of its protection mechanism, we

consider two scenarios to measure the effect of security

provided by the NS-5GT on the connection rate–first

scenario, when the UDP flood attack is launched without

enabling the UDP flood protection at NS-5GT. Second

scenario, when the UDP flood attack is launched after

enabling the UDP flood protection at NS-5GT. In this

section, we cover the first scenario when the security

device NS-5GT was setup with no UDP-flood protection,

and the server maintained an initial (baseline) client

connection rate of 600 connections per second during the

experiments. The UDP flood attack traffic varying from

10 Mbps to 100 Mbps in steps of 10 Mbps was sent to-

wards the server through the security device NS-5GT.

The effect of attack traffic loads on the client connection

rate was measured and plotted in Figure 8.

When the server is flooded with the spoofed UDP traf-

fic, the UDP packet received by the server processes the

packets and checks for the application on the requested

port number. If there was no application found on that

requested port then the server sends the destination un-

reachable packet as reply for the received packets.

Results in Figure 8 show that the number of client

connections dropped to half of its maximum baseline

capacity under UDP flood attack load of 35 Mbps. Fur-

thermore, without UDP flood protection on the NS-5GT

security device, no client connection could be established

under UDP att ack loa d o f 40 M bps or higher.

3.4. UDP Flood Attack on Server with UDP

Flood Protection Enabled on Juniper’s

Security Device NS-5GT

In this case, the UDP flood attack protection (Figure 3)

was enabled on the Juniper’s NS-5GT security device to

evaluate its effectiveness in mitigating the attack, and in

improving the number of client connections under UDP

flood attack conditions. In itially, in the absence of attack

conditions, the baseline client connection rate of 600

connections per second was maintained during the ex-

periment. The UDP flood attack load varying from 10

Mbps to 100 Mbps in steps of 10 Mbps was sent towards

56 S. KUMAR ET AL.

the server, through the Juniper’s security device NS-5GT

gateway, in order to measure its effectiveness in pre-

venting the attack. The number of connections per sec-

ond was measured against different loads of attack.

When the UDP flood protection was enabled on the

Juniper Networks security device NS-5GT, it was found

that under an UDP attack traffic load of 30 Mbps, the

connection rate dropped from baseline connection rate of

600 connections/sec to around 373 connections /sec, i.e. a

decrease of arou nd 38% in the baseline performance.

Whereas, without such UDP flood protection being

enabled on the security device NS-5GT (Figure 8), only

97 connections/sec could be supported under the UDP

attack load of 30 Mbps i.e. around 84% decrease in the

baseline performance. The relative improvement in the

connection rate provided by the UDP protection mecha-

nism of the security device can be calculated as 46% for

the attack load of 30 Mbps. It can be seen that at lower

attack loads, there was some improvement in the connec-

tion rate provided by the security device NS-5GT, how-

ever when the UDP attack load was increased to 45Mbps

or higher, no client connections could be established i.e.

0% improvement in the connection rate despite claims of

providing protection ag ainst UDP attacks by the NS-5GT

security device.

The results show that the NS-5GT provides some pro-

tection against the UDP flood attack of lower intensity

(below 40 Mbps), however it is not effective in prevent-

ing against UDP flood attacks of higher intensity (i.e.

exceeding 40 Mbps).

Based on the measurements done for the number of

client connection rate that can be supported with and

without UDP flood protection enabled at the Juniper’s

NS-5GT security device, we show such comparison in

Figure 10. The green bars on the left in Figure 10 show

the number of successful client connections formed per

second when no UDP flood pro tection was enab led at th e

NS-5GT. Whereas the blue bars on the right in Figure 10

show the number of successful client connections formed

per second with UDP flood protection enabled at the

Juniper’s NS-5GT security device.

From Figure 10, it can be observed that without UDP

flood-protection enabled at the NS-5GT security device,

the client connection rate goes to almost zero at 35 Mbps

Figure 8. Client connections established under different UDP flood attack loads with no protection enabled on NS-5GT.

Figure 9. Client connections established under different UDP flood attack loads with UDP-protection enabled on NS-5GT.

S. KUMAR ET AL.

Figure 10. Comparison of Connection rate with and without UDP-flood protection enabled on the NS-5GT security device.

of UDP-flood attack traffic. Whereas when the UDP-flood

attack protection is enabled on the NS-5GT, the connec-

tion rate goes to zero at a little higher traffic load of 45

Mbps. The connection dro p rate is found to be somewhat

slower when the protection is enabled at the NS-5GT

security device for lower attack loads (Figure 10). Over-

all the protection provided by the security device

NS-5GT is marginal against preventio n of the UDP flood

attacks considered in this paper.

4. Conclusion

In this paper, we evaluated the performance of a Juniper

Network security device NS-5GT to measure its effect-

tiveness in providing protection against Layer-4 TCP-

SYN and UDP based DDoS attacks. It was found that the

protection provided by NS-5GT was capable in defend-

ing to some extent against lower loads of TCP-SYN and

UDP based DDoS attacks, however at higher attack loads

exceeding 40 Mbps, the NS-5GT security device was not

capable of establishing client connections in the face of

such flood attacks. Despite the security protection of-

fered by the security device NS-5GT, the evaluation re-

sults showed the Juniper’s security device NS-5GT to be

of limited capability in preventing layer4 DDoS attacks.

The Juniper Network security device NS-5GT, claimed

to provide protection against TCP SYN attacks and UDP

flood attacks, however the protection was measured to be

not effective in defending against higher intensity of

such attacks exceeding 40 Mbps. Before deploying a

network security device to protect a critical information

infrastructure, it is important for the network administra-

tors to seek actual performance evaluation results from

the manufacturers to determine the actual capabilities of

the Internet security devices in prev enting against DDoS

attacks.

5. Acknowledgements

This research work is based upon work supported in part

by US National Science Foundation under Grant No.

0421585. Authors would like to thank Hari Vallela-

cheruvu and Sirisha Surisetty of the networking research

lab for their helpful discussion and assistance with the

experiments.

6. References

[1] “WikiLeaks Supporters Tear down VISA in DDoS At-

tack,” December 9, 2010. http://www.digitaltrends.com/

computing/wikileaks-supporters-tear-down-visa-in-ddos-

attack/.

[2] Cnet news, “Twitter Crippled by Denial-of-Service At-

tack”, 15 October 2010. http://news.cnet.com/8301-1357

7_3-10304633-36. html

[3] R. Richardson, “2008 CSI Computer Crime & Security

Survey,” CSI, 2008.

[4] “US Suspects N Korea Launched Internet Attack on July

4,” 15 October 2010. http://ibnlive.in.com/news/us-sus-

pects-n-korea-laun-ched-internettack-on-%20%20%20%

20%20july-4/96715 -2.html

[5] “Computer Emergency Response Team (CERT)® Advi-

sory CA-2001-20,” 15 October 2010. http://www.cert.

org/tech_tips/home_ networks.html

[6] “Computer Emergency Response Team (CERT)®,”

58 S. KUMAR ET AL.

Trends in Denial of Service Attacks Technology. 15 Oc-

tober 2010. http:// www.cert.org/archive/pdf/DoS_trends.

pdf

[7] C. Douligeris and A. Mitrokotsa, “DDOS Attacks and

Defense Mechanisms: A Classification,” Proceedings of

the 3rd IEEE International Symposium on Signal Proc-

essing and Information Technology, 14-17 December

2003, pp. 190-193. doi:10.1109/ISSPIT.2003.1341092

[8] J. Mirkovic and P. Reiher. “A Taxonomy of DDoS At-

tacks and DDoS Defense Mechanisms,” ACM SIGCOMM

Computer Communications Review, Vol. 349, No. 2,

April 2004, pp. 39-54. doi:10.1145/997150.997156

[9] S. Kumar, “Smurf Based Denial of Service Attack Am-

plification in Internet,” IEEE Computer Society, ICIMP,

2007.

[10] M. R. Lyu and L. K. Y. Lau, “Firewall Security: Policies,

Testing and Performance Evaluation,” The 24th Annual

International Computer Software and Applications

Conference, Taipe, 25-27 October 2000, pp. 116-121.

[11] R. K. C. Chang “Defending Against Flooding-Based

Distributed Denial-of-Service Attacks: A Tutorial,” IEEE

Communications, Vol. 40, No. 10, April 2002, pp. 42-51.

doi:10.1109/MCOM.2002.1039856

[12] S. Kumar, M. Azad, O. Gomez and R. Valdez, “Can Mi-

crosoft’s Service Pack-2 (SP2) Security Software Pre-

vents Smurf Attacks?” Advanced International Confer-

ence on Telecommunications, Guadeloupe, September

2006, pp. 89-93.

[13] S. Kumar and E. Petana, “Mitigation of TCP-SYN At-

tacks with Microsoft’s Windows XP Service Pack2 (SP2)

Software,” Seventh International Conference on Net-

working, Cancun, 13-18 April 2008, pp. 238-242. doi:

10.1109/ICN.2008.77

[14] “Juniper Networks NetScreen NS 5GT Security Policy,”

15 October 2010. http://csrc.nist.gov/groups/STM/cmvp/

documents/140-1/140sp/140sp629.pdf

[15] Juniper Networks, Inc., “Attack Detection and Defense

Mechanisms,” 2008. http://www.juniper.net/techpubs/soft-

ware/screenos/screenos5x/ce_v4_5_0.pdf