Experimental Evaluation of Cisco ASA-5510 Intrusion Prevention System against Denial of Service Attacks

Abstract

Cyber attacks are continuing to hamper working of Internet services despite increase in the use of network security systems such as, firewalls and Intrusion protection systems (IPS). Recent Denial of Service (DoS) attack on Independence Day weekend, on July 4th, 2009 launched to debilitate the US and South Korean governments’ websites is indicative of the fact that the security systems may not have been adequately deployed to counteract such attacks. IPS is a vital security device which is commonly used as a front line defense mechanism to defend against such DoS attacks. Before deploying a firewall or an IPS device for network protection, in many deployments, the performance of firewalls is seldom evaluated for their effectiveness. Many times, these IPS’s can become bottleneck to the network performance and they may not be effective in stopping DoS attacks. In this paper, we intend to drive the point that deploying IPS may not always be effective in stopping harmful effects of DoS attacks. It is important to evaluate the capability of IPS before they are deployed to protect a network or a server against DoS attacks. In this paper, we evaluate performance of a commercial grade IPS Cisco ASA-5510 IPS to measure its effectiveness in stopping a DoS attacks namely TCP-SYN, UDP Flood, Ping Flood and ICMP Land Attacks. This IPS comes with features to counteract and provide security against these attacks. Performance of the IPS is measured under these attacks protection and compared with its performance when these protection features were not available (i.e. disabled). It was found that the IPS was unable to provide satisfactory protection despite the availability of the protection features against these flooding attacks. It is important for the network managers to measure the actual capabilities of an IPS system before its deployment to protect critical information infrastructure.

Share and Cite:

S. Kumar and R. Sekhar Reddy Gade, "Experimental Evaluation of Cisco ASA-5510 Intrusion Prevention System against Denial of Service Attacks," Journal of Information Security, Vol. 3 No. 2, 2012, pp. 122-137. doi: 10.4236/jis.2012.32015.

Conflicts of Interest

The authors declare no conflicts of interest.

References

[1] CNET News, “Twitter Crippled by Denial-of-Service Attack,” 2009. http://news.cnet.com/8301-13577_3-10304633-36.html
[2] R. Richardson and CSI Diretor, “2008 CSI Computer Crime & Security Survey,” SCI, 2008.
[3] IBN Live World, “US Suspects N Korea Launched Internet Attack,” 2009. http://ibnlive.in.com/news/us-suspects-n-korea-launched-internetattack-on-%20%20%20%20%20july-4/96715-2.html
[4] R. S. R. Gade, A. S. S, Leonel and S. Kumar, “Are Microsoft Windows Servers’ Capable of Defending against Security Attacks?” Poster Presentation of HESTEC Science Symposium, The University of Texas-Pan American, Edinburg, 2010.
[5] “Defeating DDoS Attacks,” 2010. http://www.ciscosystems.net/en/US/prod/collateral/vpndevc/ps5879/ps6264/ps5888/prod_white_paper0900aecd8011e927.html
[6] “Strategies to Protect against Distributed Denial of Service (DDoS) Attacks,” 2010. http://www.cisco.com/en/US/tech/tk59/technologies_white_paper09186a0080174a5b.shtml
[7] “DDoS Protection Solution Builds on Cisco Managed Service Leadership,” 2010. http://newsroom.cisco.com/dlls/2005/prod_060605b.html
[8] “Using CAR during DOS Attacks,” 2010. http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_tech_note09186a00800fb50a.shtml
[9] Cisco Visual Networking Index Forecast, “Ascending the Managed Services Value Chain,” 2008. http://www.cisco.com/en/US/solutions/collateral/ns341/ns524/ns546/white_paper_c11-5540
[10] R. Richardson, “2008 CSI Computer Crime and Security Survey,” 2008. http://i.cmpnet.com/v2.gocsi.com/pdf/CSIsurvey2008.pdf
[11] The FBI Federal Bureau of Investigation, “Mafiaboy Pleads Guilty,” 2010. http://www.fbi.gov/pressrel/pressrel01/mafiaboy.htm
[12] “FBI Ranks Cyber Attacks Third Most Dangerous behind Nuclear War and Weapons of Mass Destructions,” 2010. http://www.tgdaily.com/security-features/40861-fbi-ranks-cyber-attacks-third-most-dangerous-behind-nuclear-war-and-wmds
[13] S. Kumar and E. Petana, “Mitigation of TCP-SYN Attacks with Microsoft’s Windows XP Service Pack2 (SP2) Software,” Proceedings of the 7th International Conference on Networking of IEEE, New York, 13-18 April 2008. doi:10.1109/ICN.2008.77
[14] P.-E. Liu and Z.-H. Sheng, “Defending against TCP SYN Flooding with a New Kind of SYN-Agent,” Proceedings of the 2008 International Conference on Machine Learning and Cybernetics, Kunming, 12-15 July 2008, pp. 1218-1221. doi:10.1109/ICMLC.2008.4620589
[15] R. K. C. Chang, “Defending against Flood-Based Distributed Denial-of-Service Attack: A Tutorial,” IEEE Transactions on Communication Magazine, Vol. 40, No. 10, 2002, pp. 42-51. doi:10.1109/MCOM.2002.1039856
[16] W. Chen, D.-Y. Yeung and P.-E. Liu, “Defending against TCP SYN Flooding Attacks under Different Types of IP Spoofing,” Proceedings of the International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and learning Technologies, (ICN/ICONS/MCL 2006), Wu Han, 23-29 April 2006, p. 38. doi:10.1109/ICNICONSMCL.2006.72
[17] J. Postel, “Internet Control Message Protocol,” 2010. http://www.faqs.org/rfcs/rfc792.html
[18] S. Sirisha and S. Kumar, “Is McAfee SecurityCenter/Firewall Software Providing Complete Security for Your Computer?” Proceedings of the International Conference on Digital Society of the IEEE ICDS, St. Maarten, 10-16 February 2010, pp. 178-181. doi:10.1109/ICDS.2010.38
[19] S. Kumar, “PING Attack—How Bad Is It?” Computers & Security Journal, Vol. 25, No. 5, 2006, pp. 332-337. doi:10.1016/j.cose.2005.11.004
[20] R. S. R. Gade, H. Vellalacheruvu and S. Kumar, “Performance of Windows XP, Windows Vista and Apple’s Leopard Computers under a Denial of Service Attack,” Proceedings of the 4th International Conference on Digital Society of the IEEE ICDS, St. Maarten, 10-16 February 2010, pp. 188-191. doi:10.1109/ICDS.2010.39
[21] R. S. R. Gade, S. Sirisha, H. Vellalacheruvu and S. Kumar, “Impact of Land attack Compared for Windows XP, Vista and Apple’s Leopard,” Poster Presentation of the HESTEC Science Symposium, The University of Texas-Pan American, Edinburg, 2009.
[22] S. Kumar, et al., “Can Microsoft’s Service Pack2 (SP2) Security Software Prevents Smurf Attacks?” Proceedings of the International Conference on Internet and Web Applications and Services/Advanced International Conference on Telecommunications of the IEEE AICT-ICIW’06, 19-25 February 2006, p. 89. doi:10.1109/AICT-ICIW.2006.60
[23] S. Kumar, “Smurf-Based Distributed Denial of Service (DDoS) Attack Amplification in Internet,” Proceedings of the Second International Conference on Internet Monitoring and Protection of the IEEE ICIMP 2007, San Jose, 1-5 July 2007, p. 25. doi:10.1109/ICIMP.2007.42
[24] D. K. Y. Yau, J. C. S. Lui, L. Feng, and Y. Yeung, “Defending against Distributed Denial of Service Attacks with Max-Min Fair Server-Centric Router Throttles,” Journal of IEEE/ACM Transactions on Networking, Vol. 13, No. 1, 2005, pp. 29-42. doi:10.1109/TNET.2004.842221
[25] R. K. C. Chang, “Defending against Flood-Based Distributed Denial-of-Service Attack: A Tutorial,” IEEE Transactions on Communication Magazine, Vol. 40, No. 10, 2002, pp. 42-51. doi:10.1109/MCOM.2002.1039856
[26] Y. Xu, “Statistically Countering Denial of Service Attacks,” Proceedings of the International Conference on Communications of the IEEE ICC 2005, Seoul, 16-20 May 2005, pp. 844-849. doi:10.1109/ICC.2005.1494470

Journals Menu
Follow SCIRP
Contact us
+1 323-425-8868
customer@scirp.org
WhatsApp +86 18163351462(WhatsApp)
Click here to send a message to me 1655362766
Paper Publishing WeChat

Copyright © 2024 by authors and Scientific Research Publishing Inc.

Creative Commons License

This work and the related PDF file are licensed under a Creative Commons Attribution 4.0 International License.