BlackNurse Low-Volume DoS Attack Targets Firewalls

Researchers say BlackNurse attacks are low bandwidth (18Mbps) and can still knock offline many of today’s firewalls.

A type of denial of service attack relevant in the 1990s has resurfaced with surprising potency against modern-day firewalls. Dubbed a BlackNurse attack, the technique leverages a low-volume Internet Control Message Protocol (ICMP) -based attack on vulnerable firewalls made by Cisco, Palo Alto, SonicWall and others, according to researchers.

TDC Security Operations Center, a security firm that published a technical report (PDF) on BlackNurse this week, said the attack is more traditionally called a “ping flood attack.” In this type of assault, traffic volume doesn’t matter as much as the type of packets sent, researchers said.

According to TDC, BlackNurse is based on ICMP Type 3 (Destination Unreachable) Code 3 (Port Unreachable) requests. These are packet replies typically returned to ping sources indicating the destination port is “unreachable,” according to researchers.

In a description of BlackNurse, an attacker causes a Denial of Service (DoS) state by overloading the firewall’s host CPU. “When an attack is ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the Internet,” according to TDC.

It’s unclear why the ICMP Type 3 Code 3 requests overload firewall’s CPU. However, researchers at SANS Internet Storm Center believe it’s tied to firewall logging. It’s a theory bolstered by TDC’s own description of the impact of the attack.

“Firewall logging during the attack can increase the impact from the attack, which means that the firewall gets even more exhausted,” TDC wrote.

BlackNurse attacks are similar to, but not to be confused with, related ICMP Type 8 Code 0 attacks, also called a ping flood attack, according to TDC. “ICMP based attacks in general are a well-known attack type used by some DDoS attackers,” TDC wrote. Researchers explain:

“The BlackNurse attack attracted our attention, because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers’ operations down. This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack.”

Noteworthy, BlackNurse DoS attack volume intensity hovers between a paltry 15 to 18 Mbps (or 40 to 50K packets per second), according to researchers. That’s in stark contrast to the 1 Tbps DDoS attack recorded against DNS provider Dyn last month.

The low volume DDoS attack is effective because the goal is not to flood the firewall with useless traffic, but rather to drive high CPU loads. To that end many firewall vendors protect against ICMP-based attacks. But blocking all ICMP types and codes isn’t an option, for fear that something will likely to break down, TDC said.

In fact, security firm NetreseC points out in an analysis of BlackNurse that Cisco warns: “We recommend that you grant permission for the ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic.”

As for vulnerable firewalls, TDC singles out some Cisco ASA firewalls. According to a SANS Internet Storm Center report on BlackNurse, Cisco firewalls that are newer, larger and are multi-core appear to be fine. However, SonicWall and some Palo Alto firewalls appear to be vulnerable, according to Johannes Ullrich, dean of research at SANS Technology Institute and author of the SANS ISC post.

Cisco, SonicWall and Palo Alto were contacted for this report, but did not reply.

Testing for BlackNurse, suggests TDC, includes allowing ICMP on the WAN side of a firewall and conducting tests with the tool Hping3, a free packet generator and analyzer for the TCP/IP protocol. Detection includes adopting SNORT IDS/IPS rules to spot the attack, according TDC which outlines its own rules. Mitigation includes creating a “list of trusted sources for which ICMP is allowed and could be configured” and “disabling ICMP Type 3 Code 3 on the WAN interface,” TDC said.

Suggested articles