Defending Against Black Nurse Dos Attacks
Total Page:16
File Type:pdf, Size:1020Kb
White Paper Defending Against Black Nurse DoS Attacks Juniper Networks vSRX Virtual Firewall vs. the Competition 1 Defending Against Black Nurse DoS Attacks White Paper Table of Contents Executive Summary ....................................................................................................................................................................................................... 3 Introduction ........................................................................................................................................................................................................................ 3 Three Multivector Attack DoS Methods.................................................................................................................................................................. 3 High-Volume-Based Network ICMP Attack ........................................................................................................................................................... 3 A New Low-Bandwidth ICMP Attack: Black Nurse .............................................................................................................................................4 How a Black Nurse Attack Works ..............................................................................................................................................................................4 Protection in the Architecture .....................................................................................................................................................................................4 Firewall Filters ...........................................................................................................................................................................................................4 Screens .........................................................................................................................................................................................................................4 Firewall Vendor Exposure to Black Nurse ............................................................................................................................................................... 5 Test Results ....................................................................................................................................................................................................................... 5 Firewall Performance ..............................................................................................................................................................................................6 SRX Series Mitigation Performance ...................................................................................................................................................................7 Test Summary ...................................................................................................................................................................................................................7 SRX Series Firewall Advantage ...................................................................................................................................................................................7 Conclusion ...........................................................................................................................................................................................................................7 Appendix A: Black Nurse Test Plan ...........................................................................................................................................................................8 Appendix B: Junos OS Configuration on SRX Series Firewalls .......................................................................................................................11 ©2017, Juniper Networks, Inc. 2 Defending Against Black Nurse DoS Attacks White Paper Executive Summary Denial-of-service (DoS) attacks are a popular way to cause targeted service disruptions, typically for extended periods of time. The relative ease and low cost of launching such attacks, aided by a serious lack of any viable defense mechanisms, have made them one of the most common threats on the Internet. In the past, Internet Control Message Protocol (ICMP)-based DoS attacks have used multiple hosts infected with botnets to launch an overwhelming distributed DoS (DDoS) attack to take down major Web servers or perimeter firewalls. Now, researchers have discovered a new attack technique, called “Black Nurse,” that enables a single computer to generate 15 Mbps of bandwidth traffic and take down major network firewalls. This technique launches low-volume DoS attacks by sending specially formatted ICMP packets that overwhelm the processors on targeted firewalls, shutting them down. This white paper takes a detailed look at how Juniper Networks® SRX Series Services Gateways, as well as firewalls from other industry leaders, recently performed while under a Black Nurse DoS cyberattack. Introduction Although DoS attacks date back to the early days of the Internet, they remain one of the most disruptive and damaging assaults waged against networks and applications around the world. New security vulnerabilities are constantly being discovered in common IT infrastructure products, and new attack methods are quickly developed to exploit these weaknesses, increasing opportunities to expose the corporate infrastructure. Organizations must be diligent, continuously monitoring common network and server infrastructure products to identify and fix known vulnerabilities. The Black Nurse cyberattack is an exploit-based attack that focuses on vulnerabilities in some of the industry’s firewall operating systems. This means a number of organizations are potential victims, susceptible to the type of service disruptions that can affect business continuity and negatively impact customer perceptions. Three Multivector Attack DoS Methods Cyberattackers deploy multivector campaigns that target all layers of the IT infrastructure, including the network, server, and application layers. The tools required to launch such attacks are readily available and easily obtained. Attackers seek to exploit flaws in the software, network, and application layers in IT infrastructure. In general, these campaigns can be broken into three basic categories: • Volume-Based Infrastructure Attacks: In a volume-based infrastructure attack, cyberattackers overwhelm the IT infrastructure by flooding resources with traffic, degrading access to unacceptable levels. These attacks coordinate thousands of compromised hosts, triggering them to launch a wave of SYN, UDP, and ICMP requests against the targeted device or network, exploiting inherent vulnerabilities in Internet protocols and IP packets such as TCP and HTTP, which are fundamental to the operation of the Internet. These sustained distributed DoS, or DDoS, attacks generate voluminous amounts of traffic, consuming bandwidth and buffer space on routers in the attack path or CPU and memory resources on the targeted server, preventing further processing of user requests. • Application Attacks: Application attacks focus on specific vulnerabilities in applications running on a host server. A buffer overflow, one of the most common kinds of application attacks, sends excessive data to an application, either bringing the application down or forcing the data being sent to be executed on the host server. Sometimes, the excess data can crash a vulnerable system. Attackers can even execute specific code on the remote system via a buffer overflow vulnerability; sending too much information to the application actually overwrites the data that controls the program, and the hacker’s code is executed instead. • Network Infrastructure Vulnerability Attacks: This attack vector enables cyber hackers to exploit system vulnerabilities in the operating system of routers, switches, and firewalls. Each common network infrastructure product—routers, switches, and firewalls—has inherent vulnerabilities in each new software release, exposing it to attack and placing the entire IT infrastructure at risk. It takes just one compromised component to threaten the entire enterprise. The impact of DoS attacks can vary widely. Users trying to access internal resources such as intranet pages can be faced with slow Web performance, which directly impedes productivity. For public cloud providers, who are frequent targets, a DoS attack can trigger costly SLA credits and tarnish their brand reputation, which leads to poor customer perception, increased IT costs, and potential litigation. High-Volume-Based Network ICMP Attack In the past, DDoS attacks were volume-based infrastructure attacks that used large volumes of network traffic—typically SYN, UDP, or ICMP packets—to flood a connection, overwhelming network resources and effectively denying service to users. With these kinds of attacks, thousands of computers unknowingly infected with malware (such as Trojan Horses or self-propagated worms) act on behalf of the attacker, launching coordinated attacks against the victim’s website or IT infrastructure. Since the incoming attack traffic comes from literally thousands of sources, the attack cannot be thwarted by simply blocking a unique IP address. ©2017, Juniper Networks, Inc. 3 Defending Against Black Nurse DoS Attacks White Paper A