BlackNurse Low-Volume DoS Attack Targets Firewalls

A type of denial of service attack relevant in the 1990s has resurfaced with surprising potency against modern-day firewalls. Dubbed a BlackNurse attack, the technique leverages a low-volume Internet Control Message Protocol (ICMP) -based attack on vulnerable firewalls made by Cisco, Palo Alto, SonicWall and others, according to researchers.
TDC Security Operations Center, a security firm that published a technical report (PDF) on BlackNurse this week, said the attack is more traditionally called a “ping flood attack.” In this type of assault, traffic volume doesn’t matter as much as the type of packets sent, researchers said.
Related Posts
According to TDC, BlackNurse is based on ICMP Type 3 (Destination Unreachable) Code 3 (Port Unreachable) requests. These are packet replies typically returned to ping sources indicating the destination port is “unreachable,” according to researchers.
In a description of BlackNurse, an attacker causes a Denial of Service (DoS) state by overloading the firewall’s host CPU. “When an attack is ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the Internet,” according to TDC.
It’s unclear why the ICMP Type 3 Code 3 requests overload firewall’s CPU. However, researchers at SANS Internet Storm Center believe it’s tied to firewall logging. It’s a theory bolstered by TDC’s own description of the impact of the attack.
“Firewall logging during the attack can increase the impact from the attack, which means that the firewall gets even more exhausted,” TDC wrote.
BlackNurse attacks are similar to, but not to be confused with, related ICMP Type 8 Code 0 attacks, also called a ping flood attack, according to TDC. “ICMP based attacks in general are a well-known attack type used by some DDoS attackers,” TDC wrote. Researchers explain:
针对新技术,新应用,信息安全管理人员无疑要有前瞻性的眼光,并且紧紧跟进,要适应业务的灵活性和动态性。
“The BlackNurse attack attracted our attention, because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers’ operations down. This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack.”
Noteworthy, BlackNurse DoS attack volume intensity hovers between a paltry 15 to 18 Mbps (or 40 to 50K packets per second), according to researchers. That’s in stark contrast to the 1 Tbps DDoS attack recorded against DNS provider Dyn last month.
The low volume DDoS attack is effective because the goal is not to flood the firewall with useless traffic, but rather to drive high CPU loads. To that end many firewall vendors protect against ICMP-based attacks. But blocking all ICMP types and codes isn’t an option, for fear that something will likely to break down, TDC said.

In fact, security firm NetreseC points out in an analysis of BlackNurse that Cisco warns: “We recommend that you grant permission for the ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic.”
As for vulnerable firewalls, TDC singles out some Cisco ASA firewalls. According to a SANS Internet Storm Center report on BlackNurse, Cisco firewalls that are newer, larger and are multi-core appear to be fine. However, SonicWall and some Palo Alto firewalls appear to be vulnerable, according to Johannes Ullrich, dean of research at SANS Technology Institute and author of the SANS ISC post.
Cisco, SonicWall and Palo Alto were contacted for this report, but did not reply.
南京化纤(600889)历史资金流向一览
Testing for BlackNurse, suggests TDC, includes allowing ICMP on the WAN side of a firewall and conducting tests with the tool Hping3, a free packet generator and analyzer for the TCP/IP protocol. Detection includes adopting SNORT IDS/IPS rules to spot the attack, according TDC which outlines its own rules. Mitigation includes creating a “list of trusted sources for which ICMP is allowed and could be configured” and “disabling ICMP Type 3 Code 3 on the WAN interface,” TDC said.
提升信息安全保障工作,在洽谈使用厂家的产品或服务时,别忘了提出系统的使用、操作和维护人员的技能培训需求。

猜您喜欢

信息系统安全
网络安全公益短片个人信息保护实战
网络安全宣传之电信诈骗防范
名震一时!百年来罕见的12大考古发现
PRINTCOUNTRY NET10PAYMENT
商务差旅人士需具备基本的数据安全战略防范能力