Denial of Firewalling Attacks (DoF): The Case Study of the Emerging BlackNurse Attack

Traditional Distributed Denial of Service (DDoS) attacks usually flood network targets with malicious traffic. Recently, new types of DDoS attacks have emerged and target specifically network security devices, mainly firewalls and intrusion prevention systems (IPS). In contrast to traditional DDoS attacks, these emerging attacks use a low volume of malicious traffic. This paper is concerned solely with an emerging denial of firewalling attack (DoF), called the BlackNurse attack. The attack uses specially formatted ICMP error messages to overwhelm targeted firewalls' CPUs. This paper offers detailed insights into the understanding of DoF attacks and classifying them according to the targeted firewall resources, traffic volume, and attack effect. This paper also concentrates on the BlackNurse attack principles, practical attack generation, and its general effect on impacted firewalls and the networks. The performance evaluations are conducted on commercial grades, namely, Juniper NetScreen SSG 20 and Cisco ASA 5540 firewalls. The pros and cons of the available attack mitigations are discussed. OS screening features on Juniper NetScreen SSG 20 are used, for an example, to test their effectiveness in thwarting the attack. Furthermore, this paper proposes a novel mechanism to defend against the BlackNurse attack using an early rejection rule with dynamic activity time duration that depends on current and previous attack statistics and severity parameters. The evaluation is conducted to simulate the proposed mechanism defense against novice and expert BlackNurse attackers.