Low-Bandwidth "BlackNurse" DDoS Attacks Can Disrupt Firewalls

Researchers warn that certain types of low bandwidth distributed denial-of-service (DDoS) attacks can cause some widely used enterprise firewalls to enter a temporary DoS condition.
公司应该加强对员工进行软件版权及许可证教育
While analyzing DDoS attacks aimed at their customers, experts at the security operations center of Danish telecom operator TDC noticed that some attacks based on the Internet Control Message Protocol (ICMP) can cause serious disruptions even over low bandwidths.
ICMP attacks, also known as ping flood attacks, are highly common, but they typically rely on Type 8 Code 0 packets. The attacks that caught TDC’s attention are based on ICMP Type 3 Code 3 packets.
The attacks, dubbed by the company “BlackNurse,” can be highly effective even at bandwidths as low as 15-18 Mbps and they can cause disruptions to firewalls even if the victim has an Internet connection of 1 Gbps.
“The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the LAN side will no longer be able to send /receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops,” TDC explained in a report detailing BlackNurse attacks.
“We know that a small number (1 to many) of internet connections with uplink speed of around 15-18 Mbit/s can keep large companies or organisations under DoS / DDoS until they mitigate the attack,” it added.

Experts pointed out that this type of attack has been around for more than 20 years, but they believe organizations are not sufficiently aware of the risks. A scan of the Danish IP address space revealed that there were over 1.7 million devices responding to ICMP pings, which means these attacks can have a significant impact.
Researchers have so far confirmed that BlackNurse attacks work against Cisco ASA and SonicWall firewalls, but they likely also affect products from Palo Alto Networks and other vendors. The Iptables firewall utility for Linux, MikroTik products and OpenBSD are not affected.
While in some cases attacks might be possible due to a vulnerability in the firewall, some vendors blamed a configuration problem. Detection rules and proof-of-concept (PoC) code have been made available to allow users to identify attacks and test their equipment.
SecurityWeek has reached out to affected vendors, including Cisco, Palo Alto Networks and SonicWall, for comment.
SonicWall is listed in the affected products section on the BlackNurse website, with the mention that attacks are possible when the firewall is misconfigured. SonicWall told SecurityWeek that it has been in touch with TDC. The vendor’s testing showed that its firewalls are not vulnerable with normal ICMP flood protection on.
Cisco was notified about these attacks in June, but TDC said the company decided not to classify the issue as a security flaw. This suggests that the networking giant is also treating it as a configuration problem.
In the case of Cisco ASA firewalls, TDC recommends denying ICMP Type 3 messages sent to the product’s WAN interface or upgrading to more high-end ASA firewalls that have multiple CPU cores as BlackNurse attacks are not as effective against these types of systems. Attacks can also be mitigated using professional anti-DDoS services.
尽管不少高校开设了信息安全专业,但总体上,目前的计算机教育和培训几乎很少涉及到计算机信息安全教育,这也是造成人们对计算机信息安全意识不强的一个重要因素。
Updated with clarifications from SonicWall
担负关键任务的应用程序在不断增加,信息化越来越普及,安全问题也越来越受到重视,及早预防远比亡羊补牢要划算很多。

猜您喜欢

贵州遵义:发展大数据服务外包及呼叫中心产业,培育新经济增长点
漫谈保险业信息安全管理
海外风险与安全基础知识,海外留学或移民需知,出国前的必修课:
中法学子展示环保创意作品 愿共作环保使者
OKAYFOREX CANDICEOLSON
信息安全意识培训课程