• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • BlackNurse attack, how to knock big servers offline with a laptop

BlackNurse attack, how to knock big servers offline with a laptop

Pierluigi Paganini November 13, 2016

BlackNurse attack allows to power massive DDoS attacks that are able to knock large servers offline with limited resources.

Researchers discovered a simple method, called BlackNurse attack, to power massive DDoS attacks that could allow lone attackers to knock large servers offline with limited resources.

“This attack is not based on pure flooding of the internet connection, and we have named it ‘BlackNurse’. BlackNurse is not the same as an old ICMP flood attack which is known to send ICMP requests to the target very quickly. BlackNurse is based on ICMP with Type 3 Code 3 packets. ” reads the analysis published by the researchers.

BlackNurse attack DDoS

The BlackNurse attack was devised by researchers from Danish TDC Security Operations Center, it could be effective against servers protected by certain firewalls made by Cisco Systems, Palo Alto Networks, SonicWall, and Zyxel.

“The BlackNurse attack attracted our attention, because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers’ operations down. This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack.” continues the report.

The BlackNurse attack leverages on the ICMP with Type 3 Code 3 packets that are used by routers and networking equipment to send and receive error messages.

By sending this specific type of ICMP packets attackers can overload the CPUs of certain types of server firewalls.

The researchers noticed that after reaching a threshold of 15 Mbps to 18 Mbps, the network devices drop so many packets that the server will go offline.

The researchers from the TDC SOC explained that the BlackNurse attack could allow a lone attacker with a single laptop to power DDoS attacks peaking of 180 Mbps.

“It does not matter if you have a 1 Gbit/s Internet connection. The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the [local area network] site will no longer be able to send/receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops.” reads the analysis of the TDC SOC.

The experts confirmed that in the last two years other 95 DDoS attacks leveraging on the ICMP protocol targeted customers inside the TDC network, but it is not specified how many of them are BlackNurse attacks.

Experts from Netresec who supported the TDC network in the analysis confirmed that attack works against several models of firewalls from major vendors, including Cisco Systems, Palo Alto Networks, SonicWall, and Zyxel.

Devices verified by TDC to be vulnerable to the BlackNurse attack:

  • Cisco ASA 5506, 5515, 5525 (default settings)
  • Cisco ASA 5550 (Legacy) and 5515-X (latest generation)
  • Cisco Router 897 (unless rate-limited)
  • Palo Alto (unverified)
  • SonicWall (if misconfigured)
  • Zyxel NWA3560-N (wireless attack from LAN Side)
  • Zyxel Zywall USG50

The researchers at Netresec.com published a detailed analysis of the BlackNurse attack.

Palo Alto Networks has issued a specific advisory to address this specific DDoS attack.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – BlackNurse attack, DDoS)


facebook linkedin twitter

BlackNurse attack Cybercrime DDoS Hacking ICMP

you might also like

Pierluigi Paganini July 27, 2025
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55
Read more
Pierluigi Paganini July 27, 2025
Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

    Malware / July 27, 2025

    Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / July 27, 2025

    Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

    Cyber Crime / July 26, 2025

    Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

    Intelligence / July 26, 2025

    Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

    Intelligence / July 25, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT