Experimental Evaluation of Juniper Network's Netscreen-5GT Security Device against Layer4 Flood Attacks

Cyber attacks are continuing to hamper working of Internet services despite increased use of network security systems such as firewalls and Intrusion protection systems (IPS). Recent Distributed Denial of Service (DDoS) attacks on Dec 8, 2010 by Wikileak supporters on Visa and Master Card websites made headlines on prime news channels all over the world. Another famous DDoS attacks on Independence Day weekend, on July 4, 2009 were launched to debilitate the US and South Korean governments’ websites. These attacks raised questions about the capabilities of the security systems that were used in the network to counteract such attacks. Firewall and IPS security systems are commonly used today as a front line defense mechanism to defend against DDoS attacks. In many deployments, performances of these security devices are seldom evaluated for their effectiveness. Different security devices perform differently in stopping DDoS attacks. In this paper, we intend to drive the point that it is important to evaluate the capability of Firewall or IPS security devices before they are deployed to protect a network or a server against DDoS attacks. In this paper, we evaluate the effectiveness of a security device called Netscreen 5GT (or NS-5GT) from Juniper Networks under Layer-4 flood attacks at different attack loads. This security device NS-5GT comes with a feature called TCP-SYN proxy protection to protect against TCP-SYN based DDoS attacks, and UDP protection feature to protect against UDP flood attacks. By looking at these security features from the equipments data sheet, one might assume the device to protect the network against such DDoS attacks. In this paper, we conducted real experiments to measure the performance of this security device NS-5GT under the TCP SYN and UDP flood attacks and test the performance of these protection features. It was found that the Juniper’s NS-5GT mitigated the effect of DDoS traffic to some extent especially when the attack of lower intensity. However, the device was unable to provide any protection against Layer4 flood attacks when the load exceeded 40Mbps. In order to guarantee a measured level of security, it is important for the network managers to measure the actual capabilities of a security device, using real attack traffic, before they are deployed to protect a critical information infrastructure.