WIXLIB

62Performance Evaluation and Comparison of Network Firewalls under DDoS Attackcause all systems in the subnet reached by the broadcastaddress to send a message to the victim system.(b) Resource Depletion AttacksIn DDoS resource depletion attacks the attacker sendsa malformed packet that ties up the network resources orexhausts the system resources, so that no resources areleft for legitimate users.Listed in the TABLE I are some of the DDOS attacktypes along with brief description of them.TABLE I. MAJOR DDOS ATTACK TYPESDDoS AttackGeneric etailsFlood of traffic for one or more protocolsor ports. UDP flood and Sync Flood arecommon types. It can be spoofed or nonspoofed.A flood of TCP or UDP fragments are sentto overwhelm the victim’s ability toreassemble the streams and severelyreducing performance. It may also be aresult of misconfiguration.Connection attacks maintain a largenumber of half-open or fully open idleTCP connections. Resource exhaustion inthe TCP stack or application connectiontables prevents the victim host fromallowing new TCP connections to beopened to the victim.Application-levelfloods attacksApplication attacks are designed tooverwhelm components of specificapplications.BufferOverflow canconsume all available memory or CPUtime.Vulnerabilityexploit attacksVulnerability exploit attacks are designedto exploit a software flaw in the victim’soperating system or application.IV. DDOS PERFORMANCE COMPARISON OFVARIOUS FIREWALLSIn recent times, there is strong demand to analyse theperformance of network firewalls when subjected toDDoS attacks. If network firewalls are poorly designed towithstand DDoS attacks, the overall security of theprotected network will be on high risk. Specifically, thereis an increasing demand for analysing, modelling andsimulating performance of network firewalls to predicthow effective and efficient network firewall is underDDoS attacks. This will help Firewall designers andsystem administrators to identify bottlenecks and keyparameters that impact its performance, and then performthe necessary tuning for optimal performance.Performance analysis can provide quick answers tonumerous design and operational questions. This willhelp firewall designers to carry out a first cut design toreduce the set of design alternatives and then usesimulations or experiments to assess performance of fewgood designs before building and deploying the systeminto their own network environment.Copyright 2013 MECSIn spite of firewall representing one of the criticalpoint of failure at the time of DDoS attack, no standardmethod of firewall performance evaluation during DDoSis prevalent in market as per author’s knowledge. Theprimary reason for the same is that firewallimplementations vary widely making it difficult to carryout direct performance comparisons. As more and moreorganizations deploy firewalls on their networks, questionarises whether the products they buy will stand up andsustain to relatively heavy loads. All the three firewallsused in this setup are Stateful, i.e., they keep track of thestate network of connections (such as CP streams)travelling across it. By keeping track of the connectionstate, stateful firewalls provide added efficiency in termsof packet inspection. This is because for existingconnections the firewall need only check the state table,instead of checking the packet against the firewall's ruleset, which can be extensive. In order to prevent the statetable from filling up, sessions will time out if no traffichas passed for a certain period. These stale connectionsare removed from the state table.Although the firewalls are stateful, during DDoS attack,each set of packets traversing a stateful firewall consumesstate-table resources within those firewalls, creating aDDoS chokepoint. As firewalls have limited amount ofstate-table resources it is quite easy for attackers toprogrammatically generate sufficient well-formed trafficwhich will satisfy and pass the firewall policy rules.Eventually, this will choke up bandwidth for legitimatetraffic from real users which will lead to denial ofservices of the servers and applications behind thefirewall. Additionally, in most cases, sufficient firewallstate-table exhaustion due to attack traffic will causestateful firewalls to essentially fall over and fail toforward traffic. Hence, stateful firewalls almostinvariably surrender to DDoS attacks even far morerapidly than the servers themselves would without thefirewalls there at all.A. Laboratory DDoS attack Generation – Open SourceTools ComparisionOne of the major challenge to study firewallperformance was to generate and replicate DDoS inlaboratory environment. Study and implementation ofmany of the open source tools which generates traffic aredone in order to generate as distributed traffic as possible.Below is the comparison of some of the Open SourceTools used along with their limitations.(a) Apache JMeterJMeter is an Apache Jakarta project [19] that can beused as a load testing tool for analysing and measuringthe performance of a variety of services, with a focus onweb applications. Its limitation was its inability to scalewell as it can only send a maximum of 2500 requests persecond using single system used in setup. Moreover, it isnot able to tune the request rate (rps) and consequently,its variance is more during the test.(b) FWPTT - Fast Web Performance Test ToolI.J. Computer Network and Information Security, 2013, 12, 60-67

Performance Evaluation and Comparison of Network Firewalls under DDoS AttackFWPTT (Fast web performance test tool) [20] is anopen source web application testing tool written in C#.netfor load testing web applications Its limitation iswhatever may be the input combination to this tool, thistool is unable to send more than 500 requests per secondusing single system used in setup, and hence it is notscalable. Moreover, it is not having an option to tune thenumber of request per second nor it is having graphicalviewer.(c) JCrawler – Stress Testing ToolJCrawler [21] is an open-source Stress-Testing Toolwritten in Java for web-applications. The limitation of thesame is that it is like a web portal system and not suitableto use as load-testing tool. It is not able to scale well sinceit is searching for the URLs to redirect in each web page.(d) Curl-LoaderCurl-loader 22] is an open-source tool written in Clanguage. It is capable of simulating application load andapplication behaviour of thousands and tens of thousandsof HTTP/HTTPS and FTP/FTPS clients, each with itsown source IP-address. It runs under Linux platform. Weobserved only one major limitation that is not scriptableand hence it cannot be used for dynamic requests.However, inspite of this limitation, authors found CurlLoader better as compared with other tools for setupdescribed in the next section in Fig. 2. Hence, it was usedfor laboratory DDoS Traffic generation.B. Performance Testing SetupIn order to characterize performance of firewall, thetesting environment setup shown in Fig. 2 is used tocompare performance of three most operational firewallsin market.632500-100000 and more simultaneously loading clients, allfrom a single curl-loader process. Big-IP F5 LoadBalancer is also used which has virtual servers poolcontaining inside web servers. The traffic going to webservers is observed from Load Balancer. The LoadBalancer is used so as to make the environment as closereplica of live environment as possible.The firewall configurations, operating system andhardware details of three firewall products under test arementioned in Table II. The configurations used aresimilar to that used in [3] with some upgrades in OS.Cisco uses its own hardware. Checkpoint and PF areconfigured on HP Servers. Attempt is made to keephardware as similar as possible for all three firewallsunder test, in order to have conditions as close as possibleto real world. Compatibility of hardware and networkinterfaces with firewall operating system is testedbeforehand after referring to firewall product website [2325].TABLE II. FIREWALL ingSystemProductArchitectureProcessingCoresGigabit EthernetInterfaces10 GigabitEthernetInterfacesFirewall ProductsCheckpointOpenBSDCisco ASA(CP) SPLATPFCisco ASA HP DL 380HP DL 3805580SPLAT 2.4ASA V 8.2.2CheckpointOpen BSDASDM 6.2.5NGX4.7R70Multi-processor,Multi-core804C. Performance Testing ResultsSome of the DDoS performance parameters aremeasured in Table III. These are explored in order tocompare performance of three of the most widely usedfirewall products in market as on today.TABLE III. DDOS PERFORMANCE TEST RESULTSDDoS PerformanceParametersSystem Under Test – FirewallProductsCiscoCPOpenBASASPLATSD PFHTTP Throughput(Gbps)10.65.64.5Legitimate Trafficallowed till percentage ofDDoS traffic80%82%76%Firewall CPU Utilizationat 50% DDoS40%45%43%Firewall CPU Utilizationat 75% DDoS60%80%65%Figure 2: Setup diagram for performance testingTest traffic is generated using Open-Source tool CurlLoader. Virtual machine setup is used in order to generatetraffic as distributed and as higher in magnitude aspossible. VMWARE ESX 4 server is deployed and 4virtual machines hosts are installed on the same. Thetraffic is targeted towards a web application hosted onweb application servers at the other side. The firewallpolicy is set to allow all the requests on port http andhttps towards the targeted IP where web services arehosted, hence firewall job is to establish state and forwardthe packet. Packets and states are observed on the firewallusing various tools and CLI commands. The tool runsCopyright 2013 MECSI.J. Computer Network and Information Security, 2013, 12, 60-67

64Performance Evaluation and Comparison of Network Firewalls under DDoS AttackTime for completefailure (unreachable) atfull DDoSCapacity limits(Percentage of othertraffic blocked exceptTCP)12 min15 min9 min100%100%100%1) HTTP Throughput: It is the maximum offered HTTPload, expressed in either bits per second or packets persecond, at which no packet loss is detected. The goal ofthis test is to characterize the performance of the SUTwhen deployed to protect a high performance web-basedapplication. Cisco outperformed other firewalls in realworld HTTP performance tests.2) Legitimate Traffic allowed till percentage of DDoStraffic: Since we have laboratory generated DDoS traffic,we know about the IP Range used as legitimate trafficand IP Range used for DDoS. Checkpoint showed initialresistance and allowance of legitimate traffic atpercentage of full DDOS more than other two firewalls.3) Firewall CPU Utilization at percentage of DDoS:Firewall CPU Utilization is one of the importantparameter under DDoS Attack. We have used 50% and75% of DDoS traffic as reference point for checking CPUUtilization. The higher the CPU Utilization on firewall, itwill take more time to process and forward packets andeventually more time to accept new requests. Ciscoshowed high processing power and eventually lower CPUutilization compared to its peers.similar as possible. There could be variation in firewallperformance on different make and model of hardware.V. FIREWALL PERFORMANCE IMPROVEMENTSAfter analysing firewall performance during DDoSattack, we suggest performance improvements by varyingsome of the parameters and by controlling state tableentries.A. Performance Improvement by tweaking TCP OpeningTimer during SYN Flood AttackMost of the times, intruder can perform DDoS attackeither as brute force or as logical attack. In brute forceDDoS attack, legitimate looking, but actually error datapackets are sent continuously targeting victim’s services.It will in turn reduce legitimate user bandwidth andresources and prevent access to the desirable service.Logical attack exploits a specific feature orimplementation bug of some protocol or applicationinstalled at the target machine in order to consume anexcess amount of its resources.All TCP communication is connection oriented. ATCP session must be established before hosts in theconnection exchange data. The three-way handshake isshown in Fig. 3. At first, the initial request isacknowledged, then the data is sent and after that, at lastthe data is acknowledged. Today, majority of DDoSattacks are performed using TCP and large portion ofthem are targeted to flooding attacks.4) Time for complete failure (unreachable) at full DDoS:None of the firewall proved being capable ofwithstanding DDoS for longer time. At full DDoS,eventually firewall became completely utilized and lostconnectivity. The only option left is to restart the systemto make it flush its state table entries and eventually startaccepting again. Checkpoint does outperform its peers towithstand DDoS for more time before crashing.5) Capacity limits (% of other traffic blocked exceptTCP): This parameter determines capability of firewall toprioritize traffic based on application intelligence. TheTCP Traffic (http/https) should be given priority toping/UDP traffic and this will help to prioritize legitimatetraffic. As expected, all three firewalls showedapplication intelligence and gave priority to TCP trafficthan ping and UDP during DDoS.D. ObservationsTo the best of author’s knowledge, none of thefirewalls used in our setup mentions anything aboutdiscussed DDoS performance parameters. The DDoSperformance test results obtained are specific toenvironment used in the setup. The best course of actionto test firewall performance is to replicate networkconditions as close as possible to the conditions thatactual firewall is supposed to experience. Hence, authorshave tried to keep firewall hardware configurations asCopyright 2013 MECSFigure 3: Normal TCP HandshakeAny system providing TCP-based network services ispotentially subject to this attack. In normal case, TCP 3way handshaking is performed. The attacker sends aflood of TCP/SYN packets, most of the times with a fakesender address. Each of these packets is handled like aconnection request, causing the server to issue a halfopen connection by sending back a TCP/SYN-ACKpacket and waiting for an TCP/ACK packet in responsefrom the sender address. However, because the senderaddress is fake, the response never comes. These halfopen connections consume resources on the server and asthe number increases, resources utilized increases to alevel that will limit the number of connections the serveris able to make. This will in turn reduce the server’sability to respond legitimate requests until the attack ends.I.J. Computer Network and Information Security, 2013, 12, 60-67

Performance Evaluation and Comparison of Network Firewalls under DDoS AttackThe result would be system crash and turning nonresponsive.As shown in Fig. 4, an attacker initiates a SYNflooding attack by sending many connection requestswith spoofed source addresses to the listener machine.That causes listener to allocate resources, and once thelimit of half-open connections is reached, it refuses allsuccessive connection establishment attempts.Figure 4: SYN Flood AttackThe basis of the SYN flooding attack lies in the designof the 3-way handshake that begins a TCP connection. Inthis handshake, the third packet verifies the initiator'sability to receive packets at the IP address it used as thesource in its initial request, or its return reachability.Experiments are carried out by tweaking TCP.openingtimer value from default 30 sec to 1 sec. Testing iscarried out in same setup as used earlier (Fig 2).OpenBSD PF firewall is chosen considering it being opensource and flexibility to change parameters from sourcecode.Different intensity of laboratory generated traffic isused to test performance. CPU Utilization is taken as keyperformance indicator along with firewall state table withhalf closed states. Below are the results obtained whichshows consistent improvement in CPU utilization offirewall hardware when we set the TCP.opening value as1 second during SYN Flood attack in which only SYNpackets are send for denial of service. ChangingTCP.opening value to 1 second might pose disadvantagethat firewall will not keep states more than 1 sec forestablished connection. However during DDoS, loweringthis value proves to be helpful in improving firewallperformance.TABLE IV. TEST RESULTS BY TWEAKING TCP TIMER INOPENBSD PF FIREWALLLaboratoryGeneratedTraffic HTTPconn./secTcp.opening 30 sNo. of halfCPUclosed States UtilizationCopyright 2013 MECSTcp.opening 1 sNo. of half CPUclosedUtilizaStatestion5K50 K100 K145 K1.3 M2.1 M25%59%89%654.7 K48 K93 K8%16%19%Results indicate that lowering the value of TCP timersfor stateful firewalls helps improving firewallperformance during DDoS Attack. In any setup, optimalvalue of timer should be chosen after taking intoconsideration web application and network environment.B. Performance Improvement by DDoS Identificationand Mitigation by controlling states in Firewall StateTableMost of the firewalls used today are statefulinspection firewalls. They perform the same function aspacket filter firewalls, but with the ability to keep track ofthe state of connections in addition to the packet filteringabilities. By dynamically keeping track of whether asession is being initiated, currently transmitting data (ineither direction), or being closed, the firewall can applystronger security to the transmission of data. A statefulinspection firewall is capable of understanding theopening, communication, and closing of sessions. Statefulinspection firewalls usually have a fail-close defaultconfiguration, meaning that they will not allow a packetto pass if they do not know how to handle the packet.Overall, stateful inspection firewalls give highperformance and provide more security features thanpacket filtering. Such features can provide extra controlof common and popular services. Stateful inspectionfirewalls support most (if not all) services transparently,just like packet filters, and there is no need to modifyclient configurations or add any extra software for themto work. However, during DDoS attack, keeping statetable entries results in exhaustion of firewall state tableand not able to accept any more states.Intelligence can be induced in firewall to identify hostswhich are source of DDoS. Keeping the same setup forOpenBSD PF firewall as used throughout the paper,authors have introduced below in the rules in OpenBSDPF Firewall –keep state (\ max 2000000, \ max-src-conn 10000, maxsrc-conn-rate 1000/10, overload DDOSTable )The above will only keep states in the firewall statetable which will satisfy specified conditions. Maximumstate in the state table is set to 2 million. Once it reaches,it will start discarding older state table entries. Also,particular host can have maximum of 10000 concurrentconnections or state table entries. This will ensureprotection against DoS attacks. Apart from that sourceconnection rate is kept as 1000 connections per 10seconds. If any host is making requests faster, then it willbe discarded and state table will be cleaned up. Also allsuch hosts who will meet this criterion will be furtherblocked and entries for that host will be made inDDoSTable. The maximum limits set are optimal forauthor’s laboratory setup and has proved to be effectivein mitigating laboratory generated DDoS in setup used.I.J. Computer Network and Information Security, 2013, 12, 60-67

66Performance Evaluation and Comparison of Network Firewalls under DDoS AttackThe parameters can be different for different setup andlive environment.VI. CONCLUSIONSSecurity flaws in most firewalls do not appear until thenetwork encounters a heavy load. Attacks can hide moreeasily within large amounts of traffic, potentially causingproblems right when network downtime is most harmful.Firewalls often exhibit different behaviours as theyencounter increasing loads. In the paper, we haveattempted to evaluate performance of major operationalfirewalls in the market today under DDoS attack. To thebest of author’s knowledge, most currently undertakenand reported research work on DDoS focus on otherparameters and firewall performance is not given dueimportance. We have attempted to compare performanceof various firewalls based on practical implementation.Test results w

DDoS attacks. If network firewalls are poorly designed to withstand DDoS attacks, the overall security of the protected network will be on high risk. Specifically, there is an increasing demand for analysing, modelling and simulating performance of network firewalls to predict how effective and efficient network firewall is under DDoS attacks .