Evaluating the effectiveness of firewall mitigation strategies against DDoS traffic in ns-3

Abstract

Firewalls are essential components for security enforcement in a network, as they are the first layer of protection from unwanted traffic and cyber-attacks [1]. This project uses the ns-3 network simulator to study the impact of a UDP-based distributed denial-of-service (DDoS) attack on legitimate network traffic and to evaluate the effectiveness of firewall-based mitigation [2]. A baseline network with normal UDP communication between a client and a server is first simulated to establish performance metrics such as packet delivery ratio (PDR), throughput, and average delay. A DDoS attack is then introduced using multiple attacker nodes that generate high-rate UDP traffic toward the victim server, degrading service availability. To mitigate this, a simplified traditional packet filtering firewall mechanism is implemented. By comparing baseline, attack, and mitigated scenarios, the project evaluates the impact of the attack on legitimate communication and the extent to which traffic filtering can restore performance [3]. The analysis also highlights the limitations of simplified filtering approaches and discusses how more advanced firewall architectures can provide enhanced protection [4 & 5].

References

[1] W. Koribeche, D. Espes, C. Morin, “UDP State Manipulation: Description of a Packet Filtering Vulnerability in Stateful Firewalls,” Foundations and Practice of Security, Apr. 2024, doi: https://doi.org/10.1007/978-3-031-57537-2_19

[2] C. Sheth, R. Thakker, “Performance Evaluation and Comparison of Network Firewalls under DDoS Attack,” I. J. Computer Network and Information Security, Dec. 2013, doi: https://doi.org/10.5815/ijcnis.2013.12.08

[3] H. Hamed, A. El-Atawy, E. Al-Shaer, “Adaptive Statistical Optimization Techniques for Firewall Packet Filtering,” School of Computer Science, DePaul University, Chicago, USA. n.d., Available: https://web.archive.org/web/20100610081958id_/http://www.mnlab.cs.depaul.edu/projects/Filtering/publications/infocom06-fwopt.pdf

[4] [4] G. Mamidisetti, C. V. S. Reddy, N. Singh, K. Rama Krishnaiah, B. Parvathi and R. Kulkarni, "Evaluating the Effectiveness of Firewalls to Prevent DDoS Attacks," 2025 2nd International Conference on New Frontiers in Communication, Automation, Management and Security (ICCAMS), Bangalore, India, 2025, doi: https://ieeexplore.ieee.org/document/11234056

[5] S. Ioannidis, A. D. Keromytis, S. M. Bellovin, J. M. Smith, “Implementing a Distributed Firewall,” Proceedings of the 7th ACM conference on Computer and Communications Security, doi: https://dl.acm.org/doi/10.1145/352600.353052