Evaluating the effectiveness of firewall mitigation strategies against DDoS traffic in ns-3

Abstract

Firewalls are essential components for security enforcement in a network, as they are the first layer of protection from unwanted traffic and cyber-attacks [1]. This project will use the ns-3 network simulator to study the effect of a UDP-based distributed denial-of-service (DDoS) attack on legitimate network traffic and to evaluate the effectiveness of firewall-based mitigation [2]. A baseline network with normal UDP communication between clients and a server will first be simulated to measure standard performance metrics such as throughput, delay, and packet loss. A DDoS attack will then be introduced using multiple attacker nodes that send high-rate malicious UDP traffic toward the server, with the goal of degrading service availability. Finally, a traditional packet filtering firewall mechanism will be implemented to filter or block attack traffic. By comparing baseline, attack, and mitigated scenarios, the project will determine how severely the attack impacts normal UDP communication and how effectively a firewall can restore legitimate traffic performance, as well as the limitation of traditional packet filtering [3]. The analysis will also incorporate research on the performance of different firewall architectures, including Next-Generation Firewalls (NGFWs) and Distributed Firewalls [4 & 5].

References

[1] W. Koribeche, D. Espes, C. Morin, “UDP State Manipulation: Description of a Packet Filtering Vulnerability in Stateful Firewalls,” Foundations and Practice of Security, Apr. 2024, doi: https://doi.org/10.1007/978-3-031-57537-2_19

[2] C. Sheth, R. Thakker, “Performance Evaluation and Comparison of Network Firewalls under DDoS Attack,” I. J. Computer Network and Information Security, Dec. 2013, doi: https://doi.org/10.5815/ijcnis.2013.12.08

[3] H. Hamed, A. El-Atawy, E. Al-Shaer, “Adaptive Statistical Optimization Techniques for Firewall Packet Filtering,” School of Computer Science, DePaul University, Chicago, USA. n.d., Available: https://web.archive.org/web/20100610081958id_/http://www.mnlab.cs.depaul.edu/projects/Filtering/publications/infocom06-fwopt.pdf

[4] [4] G. Mamidisetti, C. V. S. Reddy, N. Singh, K. Rama Krishnaiah, B. Parvathi and R. Kulkarni, "Evaluating the Effectiveness of Firewalls to Prevent DDoS Attacks," 2025 2nd International Conference on New Frontiers in Communication, Automation, Management and Security (ICCAMS), Bangalore, India, 2025, doi: https://ieeexplore.ieee.org/document/11234056

[5] S. Ioannidis, A. D. Keromytis, S. M. Bellovin, J. M. Smith, “Implementing a Distributed Firewall,” Proceedings of the 7th ACM conference on Computer and Communications Security, doi: https://dl.acm.org/doi/10.1145/352600.353052