BlackNurse: The Ultimate DDoS attack method

Screen Shot 2016-11-23 at 1.40.07 PMThis guest column is authored by Kanishk Tagade, Security Researcher and Digital Strategist, HaltDos

Businesses from all over the world have suffered numerous high profile cyber-incidents over the past few months; with attacks on DNS providers Dyn & OVH and on several ISPs in Liberia, which showed us that even a single DDoS attack can have potential to bring down any business to its knees.

Researchers found that more than 100,000 IoT devices (‘Mirai’ botnets) including DVR products, Smart TVs, Refrigerators, and other smart household appliances were used to launch this extremely large DDoS attack on Dyn. But who would’ve thought that a data traffic less than 20Mbps of bandwidth could bring down a whole network.

Yes! The analysts at TDC-SOC-CERT (Security Operations Center of the Danish telecom operator TDC) found that a special type of Internet Control Message Protocol flooding DDoS attack can disrupt the network throughput using a very low bandwidth. Analysts have dubbed this ICMP flooding attack method as a ‘BlackNurse’. They have also described that using ‘BlackNurse’, an attacker can easily take down an entire organization’s network and is capable of doing a denial of service by targeting their well-known firewalls.

According to analysts at TDC, it would take around 40k to 50k ICMP Type 3 Code 3 packets per second to overload a firewall. This is not a large number of packets and the bandwidth required to generate them is 15Mbps to 18Mbps, which means that BlackNurse attacks can be launched from a single laptop. They have also found that BlackNurse attack can affect Cisco, SonicWall, Palo Alto and Zyxel firewalls.

“Based on our test, we know that a reasonable sized laptop can produce approx. a 180 Mbit/s DoS attack”, the analysts said.

In their report, the researchers wrote:

“The BlackNurse attack attracted our attention because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers’ operations down. This even applied to customers with large Internet up-links and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack”.

According to analysts,

BlackNurse attack works against the following products:
  • Cisco ASA 5506, 5515, 5525 (default settings)
  • Cisco ASA 5550 (legacy) and 5515-X (latest generation)
  • Cisco Router 897 (can be mitigated)
  • SonicWall (misconfiguration can be changed and mitigated)
  • Some unverified Palo Alto
  • Zyxel NWA3560-N (wireless attack from LAN side)
  • Zyxel Zywall USG50
How to Protect against the BlackNurse Attack?

TDC instructed some mitigations and SNORT IDS rules that might be accustomed to detect BlackNurse attacks. Moreover, proof-of-concept (PoC) code posted by an OVH security engineer on GitHub can even be utilized by network admins to check their instrumentation against BlackNurse.

In order to mitigate the BlackNurse attacks on firewalls and on alternative equipments, TDC recommended users to put together a listing of trusty sources for which ICMP is allowed. However, the most effective way to mitigate the attack is to simply disable ICMP Type 3 Code 3 on the WAN interface.

Image Credit – Pixabay/PeteLinforth

Have ideas to share? Submit a post on iamwire

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>