BlackNurse: Low-volume DoS attack shuts down firewalls
Fri 11 Nov 2016
A new Denial of Service (DoS) attack, dubbed BlackNurse, is targeting vulnerable firewalls and routers from Cisco and Palo Alto Networks, among others, according to TDC Security researchers.
In a technical report, the security firm explained that the technique crashes the systems via low-volume Internet Control Message Protocol (ICMP) packets, or ‘pings’. Traditionally known as a ‘ping flood attack’, BlackNurse is based on ICMP Type 3 Code 3 requests which are typically returned to ping sources when the target’s destination port is ‘unreachable’.
While reminiscent of network attacks in the 1990s, TDC writes that the BlackNurse attacks should not be confused with ping flood attacks based on ICMP Type 8 Code 0 – regular ping traffic. Back when most people used dial-up internet connections, malicious actors were able to flood a target with pings and crash their connection.
Describing the BlackNurse attack, TDC explained that the hacker is able to cause a DoS state on the vulnerable equipment itself by overloading the CPU with operations, regardless of internet connection quality.
‘When an attack is ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops,’ the report notes.
The BlackNurse traffic volume intensity lies at around 15 – 18 Mbits/s – punitive compared to the record-breaking 1.1 Tbps recorded during the cyberattack against French ISP OVH in September.
The low-volume technique remains effective as it is not flooding the firewall with traffic, but rather pushing high load onto the CPU. While many vendors protect against ICMP-based attacks, they do concede that blocking all ICMP types and codes by default is not an option as ‘something is likely to break down,’ according to TDC.
For example, Cisco warns: ‘We recommend that you grant permission for the ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic.’
To mitigate BlackNurse on firewalls and other equipment, TDC suggests configuring a list of trusted sources for which ICMP is allowed. Otherwise, the group also advises disabling ICMP Type 3 Code 3 on the WAN interface as the best form of mitigation.
N.B. One vendor (unnamed) removed from this article after testing showed that with normal ICMP flood protection, its firewall was not vulnerable.