Researchers at TDC Security Operations Center have discovered a new attack technique that lone attackers with limited resources (in this case, a laptop and at least 15Mbps of bandwidth) can use to knock large servers offline.
Dubbed a BlackNurse attack or the low-rate "Ping of Death" attack, the technique can be used to launch several low-volume DoS attacks by sending specially formed Internet Control Message Protocol (ICMP) packets, or 'pings' that overwhelm the processors on server protected by firewalls from Cisco, Palo Alto Networks, among others.
ICMP is a protocol used by routers and other networking devices to send and receive error messages.
According to a technical report [PDF] published this week, the BlackNurse attack is more traditionally known as a "ping flood attack" and is based on ICMP Type 3 (Destination Unreachable) Code 3 (Port Unreachable) requests.
These requests are packet replies typically returned to ping sources when the destination port of a target is 'unreachable.'
Here's How the BlackNurse attack Works:
By sending a Type 3 ICMP packets with a code of 3, a hacker can cause a Denial of Service (DoS) state by overloading the CPUs of certain types of server firewalls, regardless of the quality of internet connection.
The BlackNurse traffic volume is very small, ranging from 15 Mbps to 18 Mbps (or about 40,000 to 50,000 packets per second), which is laughable compared to record-breaking 1.1 Tbps DDoS attack recorded against French Internet service provider OVH in September.
However, TDC explained this was not the problem, as the major issue is a steady stream of 40K to 50K ICMP packets that reach the victim's network equipment and keep crashing the target device.
The good news? The researcher said, "When an attack is ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the Internet. All firewalls we've have seen recover when the attack stops."
In other words, this low-volume DoS technique remains effective because it is not flooding the firewall with traffic, but rather it is pushing high load onto the CPU, effectively knocking servers offline even if they've tons of network capacity.
Researchers said BlackNurse should not be confused with 'ping flood attacks based on ICMP Type 8 Code 0' – regular ping traffic. Researchers explain:
"The BlackNurse attack attracted our attention because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers' operations down."
"This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack."
Products Affected
The BlackNurse attack works against the following products:
- Cisco ASA 5506, 5515, 5525 (default settings)
- Cisco ASA 5550 (legacy) and 5515-X (latest generation)
- Cisco Router 897 (can be mitigated)
- SonicWall (misconfiguration can be changed and mitigated)
- Some unverified Palo Alto
- Zyxel NWA3560-N (wireless attack from LAN side)
- Zyxel Zywall USG50
How to Mitigate the BlackNurse Attack?
The good news? There are ways to fight back the BlackNurse attacks.
TDC suggested some mitigations and SNORT IDS rules that could be used to detect BlackNurse attacks. Moreover, proof-of-concept (PoC) code posted by an OVH security engineer on GitHub can also be used by network admins to test their equipment against BlackNurse.
In order to mitigate the BlackNurse attacks on firewalls and other equipment, TDC recommended users to configure a list of trusted sources for which ICMP is allowed. However, the best way to mitigate the attack is to simply disable ICMP Type 3 Code 3 on the WAN interface.
Palo Alto Networks has also issued an advisory, saying that its devices are only affected in "very specific, non-default scenarios that contravene best practices." The company also lists some recommendations for its customers.
Meanwhile, Cisco said it does not consider the reported behavior to be a security issue, warning:
"We recommend that you grant permission for the ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic."Moreover, independent software vendor NETRESEC also published a detailed analysis of BlackNurse in its post titled, "The 90's called and wanted their ICMP flood attack back."
Besides all these, the Sans Institute has also issued its own brief write-up on the BlackNurse attack, discussing the attack and what users should do in order to mitigate it.
