“BlackNurse” could turn lone attackers with modest resources into Internet bullies.
Researchers said they have discovered a simple way lone attackers with limited resources can knock large servers offline when they’re protected by certain firewalls made by Cisco Systems and other manufacturers.
The denial-of-service technique requires volumes of as little as 15 megabits, or about 40,000 packets per second, to sever the Internet connection of vulnerable servers. The requirements are in stark contrast to recent attacks targeting domain name service provider Dyn and earlier security site KrebsOnSecurity and French Web host OVH. Those assaults bombarded sites with volumes approaching or exceeding 1 terabit per second. Researchers from Denmark-based TDC Security Operations Center have dubbed the new attack technique BlackNurse.
In a blog post published Wednesday, the researchers wrote:
The BlackNurse attack attracted our attention, because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers’ operations down. This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack.
BlackNurse harnesses data based on the Internet Control Message Protocol, which routers and other networking devices use to send and receive error messages. By sending a special type of ICMP packets—specifically Type 3 ICMP packets with a code of 3—attackers can quickly strain the CPUs of certain types of server firewalls. After reaching a threshold of 15 mbps to 18 mbps, the targeted firewalls drop so many packets that the server behind the device effectively drops off the Internet. The researchers devised an attack that required only a single laptop to deliver BlackNurse volumes of 180 mbps.
The TDC Security researchers wrote:
It does not matter if you have a 1 Gbit/s Internet connection. The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the [local area network] site will no longer be able to send/receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops.
Over the past two years, the researchers reported, they have seen more than 95 ICMP attacks target customers inside the TDC network. The report didn’t say if the ICMP attacks were based on BlackNurse or a previously known ICMP attack that delivers Type 8 packets with a code of 0.
According to researchers from Netresec, a security firm that collaborated with TDC Security on the research, the attack works against firewalls from Cisco Systems, Palo Alto Networks, SonicWall, and Zyxel. The specific models and many more details are available in this blog post from Thursday. Palo Alto Networks has issued its own advisory that reports company devices are only vulnerable in “very specific, non-default scenarios that contravene best practices.”
Cisco, meanwhile, has reportedly said it doesn’t consider the reported behavior to be a security issue, although the company hasn’t said why. The networking giant might be aware of mitigations or limitations not reported by either TDC Security or Netresec. The Sans Institute has its own brief write-up of the attack here.