Share This Article:

Experimental Evaluation of Juniper Network's Netscreen-5GT Security Device against Layer4 Flood Attacks

Abstract Full-Text HTML Download Download as PDF (Size:944KB) PP. 50-58
DOI: 10.4236/jis.2011.21005    5,108 Downloads   9,782 Views   Citations

ABSTRACT

Cyber attacks are continuing to hamper working of Internet services despite increased use of network secu-rity systems such as firewalls and Intrusion protection systems (IPS). Recent Distributed Denial of Service (DDoS) attacks on Dec 8th, 2010 by Wikileak supporters on Visa and Master Card websites made headlines on prime news channels all over the world. Another famous DDoS attacks on Independence Day weekend, on July 4th, 2009 were launched to debilitate the US and South Korean governments’ websites. These attacks raised questions about the capabilities of the security systems that were used in the network to counteract such attacks. Firewall and IPS security systems are commonly used today as a front line defense mechanism to defend against DDoS attacks. In many deployments, performances of these security devices are seldom evaluated for their effectiveness. Different security devices perform differently in stopping DDoS attacks. In this paper, we intend to drive the point that it is important to evaluate the capability of Firewall or IPS secu-rity devices before they are deployed to protect a network or a server against DDoS attacks. In this paper, we evaluate the effectiveness of a security device called Netscreen 5GT (or NS-5GT) from Juniper Networks under Layer-4 flood attacks at different attack loads. This security device NS-5GT comes with a feature called TCP-SYN proxy protection to protect against TCP-SYN based DDoS attacks, and UDP protection feature to protect against UDP flood attacks. By looking at these security features from the equipments data sheet, one might assume the device to protect the network against such DDoS attacks. In this paper, we con-ducted real experiments to measure the performance of this security device NS-5GT under the TCP SYN and UDP flood attacks and test the performance of these protection features. It was found that the Juniper’s NS-5GT mitigated the effect of DDoS traffic to some extent especially when the attack of lower intensity. However, the device was unable to provide any protection against Layer4 flood attacks when the load ex-ceeded 40Mbps. In order to guarantee a measured level of security, it is important for the network managers to measure the actual capabilities of a security device, using real attack traffic, before they are deployed to protect a critical information infrastructure.

Conflicts of Interest

The authors declare no conflicts of interest.

Cite this paper

S. Kumar and R. Gade, "Experimental Evaluation of Juniper Network's Netscreen-5GT Security Device against Layer4 Flood Attacks," Journal of Information Security, Vol. 2 No. 1, 2011, pp. 50-58. doi: 10.4236/jis.2011.21005.

References

[1] “WikiLeaks Supporters Tear down VISA in DDoS Attack,” December 9, 2010. http://www.digitaltrends.com/ computing/wikileaks-supporters-tear-down-visa-in-ddos- attack/.
[2] Cnet news, “Twitter Crippled by Denial-of-Service Attack”, 15 October 2010. http://news.cnet.com/8301-1357 7_3-10304633-36. html
[3] R. Richardson, “2008 CSI Computer Crime & Security Survey,” CSI, 2008.
[4] “US Suspects N Korea Launched Internet Attack on July 4,” 15 October 2010. http://ibnlive.in.com/news/us-suspects-n-korea-laun-ched-internettack-on-%20%20%20% 20%20july-4/96715 -2.html
[5] “Computer Emergency Response Team (CERT)? Advisory CA-2001-20,” 15 October 2010. http://www.cert. org/tech_tips/home_ networks.html
[6] “Computer Emergency Response Team (CERT)?,” Trends in Denial of Service Attacks Technology. 15 October 2010. http:// www.cert.org/archive/pdf/DoS_trends. pdf
[7] C. Douligeris and A. Mitrokotsa, “DDOS Attacks and Defense Mechanisms: A Classification,” Proceedings of the 3rd IEEE International Symposium on Signal Processing and Information Technology, Darmstadt,14-17 December 2003, pp. 190-193. doi:10.1109/ISSPIT.2003.1341092
[8] J. Mirkovic and P. Reiher. “A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms,” ACM SIGCOMM Computer Communications Review, Vol. 349, No. 2, April 2004, pp. 39-54. doi:10.1145/997150.997156
[9] S. Kumar, “Smurf Based Denial of Service Attack Amplification in Internet,” IEEE Computer Society, ICIMP, 2007.
[10] M. R. Lyu and L. K. Y. Lau, “Firewall Security: Policies, Testing and Performance Evaluation,” The 24th Annual International Computer Software and Applications Conference, Taipe, 25-27 October 2000, pp. 116-121.
[11] R. K. C. Chang “Defending Against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial,” IEEE Communications, Vol. 40, No. 10, April 2002, pp. 42-51. doi:10.1109/MCOM.2002.1039856
[12] S. Kumar, M. Azad, O. Gomez and R. Valdez, “Can Microsoft’s Service Pack-2 (SP2) Security Software Prevents Smurf Attacks?” Advanced International Conference on Telecommunications, Guadeloupe, September 2006, pp. 89-93.
[13] S. Kumar and E. Petana, “Mitigation of TCP-SYN Attacks with Microsoft’s Windows XP Service Pack2 (SP2) Software,” Seventh International Conference on Networking, Cancun, 13-18 April 2008, pp. 238-242. doi: 10.1109/ICN.2008.77
[14] “Juniper Networks NetScreen NS 5GT Security Policy,” 15 October 2010. http://csrc.nist.gov/groups/STM/cmvp/ documents/140-1/140sp/140sp629.pdf
[15] Juniper Networks, Inc., “Attack Detection and Defense Mechanisms,” 2008. http://www.juniper.net/techpubs/soft- ware/screenos/screenos5x/ce_v4_5_0.pdf

  
comments powered by Disqus

Copyright © 2018 by authors and Scientific Research Publishing Inc.

Creative Commons License

This work and the related PDF file are licensed under a Creative Commons Attribution 4.0 International License.