Performance Evaluation and Comparison of Network Firewalls under DDoS Attack

Full Text (PDF, 289KB), PP.60-67

Views: 0 Downloads: 0

Author(s)

Chirag Sheth 1,* Rajesh Thakker 2

1. Tata Consultancy Services Limited, Garima Park, Gandhinagar – 382009, India

2. Electronics & Commu Dept, Govt. Engg. College, Bhavnagar – 364002, India

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2013.12.08

Received: 26 Jan. 2013 / Revised: 5 May 2013 / Accepted: 22 Jun. 2013 / Published: 8 Oct. 2013

Index Terms

DDoS Attack, Network Security, Distributed Network Firewall, Checkpoint NGX, Cisco ASA, OpenBSD PF

Abstract

Network firewalls act as the first line of defense against unwanted and malicious traffic and also represent critical point of failure during DDoS attack. Predicting the overall firewall performance is crucial to network security administrators and designers in assessing the strength and effectiveness of network firewalls against DDoS attacks. In this paper, authors have made a humble attempt to study and compare DDoS performance of various types of firewalls in operation as on today. Analysis and detailed comparison is performed on open source packet filter (PF) firewall, Checkpoint SPLAT and Cisco ASA in a testing environment with laboratory generated DDoS traffic. It is attempted to identify various firewall DDoS performance parameters which can be considered during DDoS attack. Further, experiments are carried out to study effect of varying TCP Opening Timers on performance of stateful inspection firewall during Sync Flood attack. Also, in order to improve performance, intelligence is applied in PF firewall rulebase to mitigate DDoS.

Cite This Paper

Chirag Sheth, Rajesh Thakker, "Performance Evaluation and Comparison of Network Firewalls under DDoS Attack", International Journal of Computer Network and Information Security(IJCNIS), vol.5, no.12, pp.60-67, 2013. DOI:10.5815/ijcnis.2013.12.08

Reference

[1]Quarterly Global DDoS Attack Report released by Prolexic, Apr 2013, http://www.prolexic.com/knowledge-center-ddos-attack-report-2013-q1/pr.html.
[2]World Network Infrastructure Security Report Volume VI, released by Arbor Networks, Feb 2011, http://www.arbornetworks.com/report.
[3]C. Sheth and R. Thakker, "Performance Evaluation and Comparative Analysis of Network Firewalls," Proc. IEEE Int'l Conf. on Devices and Communications (ICDeCom), pp. – 1-5, Feb 2011.
[4]A. Hussain, J. Heidemann, and C.Papadopoulos, "A framework for classifying denial of service attacks," in Proceedings of the ACM Conference on Internet Measurement (SIGCOMM '03), pp. 99-110, Karlsruhe, Germany, August 2003.
[5]J. Mirkovic and P. Reiher, "A taxonomy of DDoS attack and DDoS defense mechanisms," Computer Communication Review, vol. 34, no. 2. pp. 39–53, 2004.
[6]H. Aljifri, "IP traceback: a new denial-of-service deterrent?" IEEE Security and Privacy, vol. 1, no. 3, pp. 24–31, 2003.
[7]M. Li, M. Li, and X. Jiang, "DDoS attacks detection model and its application," WSEAS Transactions on Computers, vol. 7, no. 8, pp. 1159–1168, 2008.
[8]M. Cai, Y. Chen, Y. K. Kwok, and K. Hwang, "A scalable set-union counting approach to pushingback DDoS attacks," Tech. Rep. TR-2004-21, USC GridSec, Oct 2004.
[9]C. C. Zou, N. Duffield, D. Towsley and W. Gong, "Adaptive defense against various network attacks," US patent no. US7,587,761 b2, September 2009.
[10]Y. Kim, W. C. Lau, M. C. Chuah, and H. J. Chao, "PacketScore: a statistics-based packet filtering scheme against distributed denial-of-service, IEEE Transactions on Dependable and Secure Computin, Volume 3, pp – 141-155, 2006.
[11]A. Dainotti, A. Pescap´e, and G. Ventre, "Wavelet-based detection of DoS attacks," in Proceedings of IEEE Global Telecommunications Conference (GLOBECOM '06), pp. 1–6, San Francisco, Calif, USA, November 2006.
[12]X Bi and Q ZhengStudy, "On network safety strategy against DDoS attack", Proc. IEEE Int'l Conf on Advanced Management Science (ICAMS), pp. 623 – 627, Aug 2010.
[13]D. Newman, Benchmarking Terminology for Firewall Performance, IETF RFC2647, August 1999.
[14]Kumar, R.; Karanam, R.; Bobba, R.C.; Raghunath, S., "DDoS Defense Mechanism," Proc. IEEE Int'l Conf. on Future Networks, 2009 pp. 254 - 257, Mar. 2009.
[15]Mirkovic, J.; Arikan, E.; Songjie Wei; Fahmy, S.; Thomas, R.; Reiher, P., "Benchmarks for DDoS Defense Evaluation," Proc. IEEE Int'l Conf. Military Communications MILCOM 2006, pp. 1 - 10, Oct. 2006.
[16]Ming Li; Jun Li; Wei Zhao, "Simulation Study of Flood Attacking of DDoS", Proc. IEEE Int'l Conf Internet Computing in Science and Engineering, ICICSE '08, pp. 286 - 293, Jan. 2008.
[17]K Salah and K Elbadawi, "Performance Modeling and Analysis of Network Firewalls," Proc. IEEE Transactions on Network and Service Management, Vol. 9, No. 1, March 2012.
[18]R.Singh and A.Verma, "A Dynamic Bandwidth Assignment Approach Under DDoS Flood Attack, " Journal of Advances in Information Technology, Vol.3, No.2, May 2012.
[19]Apache Jakarta Project, "Apache JMeter", http://jakarta.apache.org/jmeter.
[20]Bogdan Damian, "Fast Web Performance Test Tool - fwptt", http://fwptt.sourceforge.net.
[21]Idumali, Under the CPL, "JCrawler – A Perfect Load Testing Toll", http://jcrawler.sourceforge.net.
[22]Robert Iakobashvili, Michael Moser, under the licensed GPLv2, "curl-loader", http://curl-loader.sourceforge.net.
[23]Cisco Systems Inc., Cisco ASA 5500 Series Security Appliances http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html.
[24]Check Point Technologies Ltd., NGX R70 Release Notes http://dl3.checkpoint.com/paid/41/CheckPoint_R70_ReleaseNotes.pdf?HashKey=1315749093_c1565e4d15313c53c997f11107cf6ae3&xtn=.pdf.
[25]PF: The OpenBSD Packet Filter http://www.openbsd.org/faq/pf/.
[26]RFC 4732, M.J. Handley, The IETF Trust (2006), "Internet Denial-of-Service Considerations", http://tools.ietf.org/html/rfc4732 .
[27]RFC 4987, W. Eddy, The IETF Trust (2007),"TCP SYN Flooding Attacks and Common Mitigations", http://tools.ietf.org/html/rfc4987.
[28]RFC 793, B.Postel, The IETF Trust(1981), "Transmission Control Protocol", http://tools.ietf.org/html/rfc793.