Researchers warn that certain types of low bandwidth distributed denial-of-service (DDoS) attacks can cause some widely used enterprise firewalls to enter a temporary DoS condition.
While analyzing DDoS attacks aimed at their customers, experts at the security operations center of Danish telecom operator TDC noticed that some attacks based on the Internet Control Message Protocol (ICMP) can cause serious disruptions even over low bandwidths.
ICMP attacks, also known as ping flood attacks, are highly common, but they typically rely on Type 8 Code 0 packets. The attacks that caught TDC’s attention are based on ICMP Type 3 Code 3 packets.
The attacks, dubbed by the company “BlackNurse,” can be highly effective even at bandwidths as low as 15-18 Mbps and they can cause disruptions to firewalls even if the victim has an Internet connection of 1 Gbps.
“The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the LAN side will no longer be able to send /receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops,” TDC explained in a report detailing BlackNurse attacks.
“We know that a small number (1 to many) of internet connections with uplink speed of around 15-18 Mbit/s can keep large companies or organisations under DoS / DDoS until they mitigate the attack,” it added.
Experts pointed out that this type of attack has been around for more than 20 years, but they believe organizations are not sufficiently aware of the risks. A scan of the Danish IP address space revealed that there were over 1.7 million devices responding to ICMP pings, which means these attacks can have a significant impact.
Researchers have so far confirmed that BlackNurse attacks work against Cisco ASA and SonicWall firewalls, but they likely also affect products from Palo Alto Networks and other vendors. The Iptables firewall utility for Linux, MikroTik products and OpenBSD are not affected.
While in some cases attacks might be possible due to a vulnerability in the firewall, some vendors blamed a configuration problem. Detection rules and proof-of-concept (PoC) code have been made available to allow users to identify attacks and test their equipment.
SecurityWeek has reached out to affected vendors, including Cisco, Palo Alto Networks and SonicWall, for comment.
SonicWall is listed in the affected products section on the BlackNurse website, with the mention that attacks are possible when the firewall is misconfigured. SonicWall told SecurityWeek that it has been in touch with TDC. The vendor’s testing showed that its firewalls are not vulnerable with normal ICMP flood protection on.
Cisco was notified about these attacks in June, but TDC said the company decided not to classify the issue as a security flaw. This suggests that the networking giant is also treating it as a configuration problem.
In the case of Cisco ASA firewalls, TDC recommends denying ICMP Type 3 messages sent to the product’s WAN interface or upgrading to more high-end ASA firewalls that have multiple CPU cores as BlackNurse attacks are not as effective against these types of systems. Attacks can also be mitigated using professional anti-DDoS services.
Updated with clarifications from SonicWall