S. KUMAR ET AL.
51
nology was used by 94% of the organizations [3]. Many
manufacturers are designing firewalls and advanced se-
curity devices to provide increased protection for their
customers from different types of attacks. Despite wide-
spread use of firewalls to protect corporate and govern-
ment websites, the damage caused by the denial of ser-
vice attacks do not seem to have gone away completely.
The DDoS attacks, launched during Wikileaks related
events starting Dec. 8th, 2010, and the Independence Day
DDoS attacks on July 4th, 2009 launched against US and
South Korean government websites [4], are now
prompting many network managers to question the per-
formance of their firewalls, IPS or other Internet security
devices being used in defending against such DDoS at-
tacks [5-13]. In this paper, we evaluate performance of
Juniper Network’s NetScreen NS-5GT Internet security
device [14,15] to measure its effectiveness in defending
against two popular layer-4 DDoS attacks, namely the
TCP-SYN and UDP flood attacks. The rest of the paper
is organized as follows: Section 2 has a discussion on the
TCP and UDP flood attacks that are evaluated in this
paper, and the protection mechanisms offered by the Ju-
niper Network’s NS-5GT security device to protect
against these two DDoS attacks. Section 3 provides de-
tail of experimental setup, different scenarios of protec-
tion used in the experiments, and discussion on respec-
tive results. Section 4 concludes the paper.
2. Juniper’s Netscreen NS-5gt Internet
Security Device
The Juniper’s NetScreen 5GT (NS-5GT) is an Internet
Security device that combines functionalities of firewall,
Intrusion Prevention System (IPS), VPN and traffic
shaping functions [14,15]. NS-5GT device is an enter-
prise class security solution designed to defend against
various security attacks including layer-4 DDoS attacks
such as TCP-SYN flood or UDP-flood attacks.
2.1. TCP-SYN Flood Attack
In this type of DDoS attack, the attacker sends a flood of
TCP-SYN packets with spoofed addresses. The server
responds with corresponding SYN-ACK packets which
are never answered with the final ACK packets.
This results in establishment of numerous half open
connections at the victim computer (Figure 1), which
causes excessive consumption of computing resources of
the victim computer. This type of DDoS attack is called
TCP-SYN flood attack. During this attack, legitimate
client connections are dropped as a result of lack of
computing resource at the victim computer.
Figure 1. TCP SYN flood attack.
2.2. Protection Provided by NetScreen NS-5GT
against TCP-SYN Based DDoS Attacks
The security device NS-5GT from Juniper Networks
provides protection against TCP-SYN based DDoS at-
tacks by using a mechanism called SYN Proxy protec-
tion method [14,15]. According to this mechanism, the
NS-5GT Internet security device is placed between the
server (that needs to be protected) and the Internet. In
this position, the NS-5GT does the proxy on behalf of the
server and participates in the initial TCP 3-Way Hand-
shake process (Figure 2) to authenticate genuine client
connections to the server.
According to this protection mechanism, first a SYN
attack threshold is set in the NS-5GT, which is an upper
limit on the number of SYN segments permitted throu gh
the device per second. If this threshold is exceeded, then
the NS-5GT starts to proxy on behalf of the server and
directly participates in 3-way handsh ake with the clients,
to establish a legitimate connection . The NS-5GT replies
with SYN_ACK to the initial SYN segments arriving
from the clients, and hence opening up a number of half
open connections. In the case of genuine client connec-
tions, the final ACK segment is sent from the client, and
upon receiving it the security device NS-5GT forwards it
to the server for establishment of a secure TCP connec-
tion. If the final ACK segment doesn’t arrive then the
half open connection at the intermediate NS-5GT device
is terminated or timed out.
2.3. UDP Flood Attack
UDP is another common Layer-4 traffic on internet.
Copyright © 2011 SciRes. JIS