Pierluigi Paganini November 13, 2016

BlackNurse attack allows to power massive DDoS attacks that are able to knock large servers offline with limited resources.

Researchers discovered a simple method, called BlackNurse attack, to power massive DDoS attacks that could allow lone attackers to knock large servers offline with limited resources.

“This attack is not based on pure flooding of the internet connection, and we have named it ‘BlackNurse’. BlackNurse is not the same as an old ICMP flood attack which is known to send ICMP requests to the target very quickly. BlackNurse is based on ICMP with Type 3 Code 3 packets. ” reads the analysis published by the researchers.

The BlackNurse attack was devised by researchers from Danish TDC Security Operations Center, it could be effective against servers protected by certain firewalls made by Cisco Systems, Palo Alto Networks, SonicWall, and Zyxel.

“The BlackNurse attack attracted our attention, because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers’ operations down. This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack.” continues the report.

The BlackNurse attack leverages on the ICMP with Type 3 Code 3 packets that are used by routers and networking equipment to send and receive error messages.

By sending this specific type of ICMP packets attackers can overload the CPUs of certain types of server firewalls.

The researchers noticed that after reaching a threshold of 15 Mbps to 18 Mbps, the network devices drop so many packets that the server will go offline.

The researchers from the TDC SOC explained that the BlackNurse attack could allow a lone attacker with a single laptop to power DDoS attacks peaking of 180 Mbps.

“It does not matter if you have a 1 Gbit/s Internet connection. The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the [local area network] site will no longer be able to send/receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops.” reads the analysis of the TDC SOC.

The experts confirmed that in the last two years other 95 DDoS attacks leveraging on the ICMP protocol targeted customers inside the TDC network, but it is not specified how many of them are BlackNurse attacks.

Experts from Netresec who supported the TDC network in the analysis confirmed that attack works against several models of firewalls from major vendors, including Cisco Systems, Palo Alto Networks, SonicWall, and Zyxel.

Devices verified by TDC to be vulnerable to the BlackNurse attack:

• Cisco ASA 5506, 5515, 5525 (default settings)
• Cisco ASA 5550 (Legacy) and 5515-X (latest generation)
• Cisco Router 897 (unless rate-limited)
• Palo Alto (unverified)
• SonicWall (if misconfigured)
• Zyxel NWA3560-N (wireless attack from LAN Side)
• Zyxel Zywall USG50

The researchers at Netresec.com published a detailed analysis of the BlackNurse attack.

Palo Alto Networks has issued a specific advisory to address this specific DDoS attack.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – BlackNurse attack, DDoS)