Computer security researchers have stated that the low-bandwidth BlackNurse DDOS attack can cause seriously disrupt the operations of enterprise firewalls used by big companies and individual users.
The BlackNurse Attack Is Considered As Very Dangerous
Computer security researchers have a detailed analysis of the BlackNurse DDOS attack that has targeted many customers. One of the most notable attacks was the danish Telecom operator TDC. The malware code is known as a low bandwidth type that can cause serious disruptions by launching specific ICMP attacks (also known known as ping attacks) that cause floods. Instead of relying on the traditional Type 8 Code 0 packets BlackNurse uses ICMP Type 3 Code 3 packets which appears to be the reason why this is an effective approach. This is a non-standard approach that has appeared to be highly effective at relatively low bandwidth speeds such as 15-18 Mbps. The effects of this is that they can cause firewall problems even at targets that have high speed Internet access of 1 Gbps.
BlackNurse causes high CPU load on the firewalls which can cause network problems for both users on the internal network and the outside world (The Internet). The problems stop when the attack is complete. According to the security reports a small number of internet connections with a low uplink speed can maintain the BlackNurse DDOS attack against a large set of companies or organizations.
According to computer security this type of attack has been known to the specialist community for more than 20 years, however the main reason why it has caused so much damage is that the organizations have not been aware of the risks and have not defended themselves on time. A scan of the Danish IP address space has revealed that there are over 1.7 million devices that can respond to such ICMP ping packets which means that a large BlackNurse can cause a very serious damage impact on them.
So far the confirmed list of devices include a wide variety of models from the Cisco ASA series, as well as SonicWall. However it is widely believed that other vendors and software services are also affected such as Palo Alto Networks. It has been discovered that the iptables (netfilter) utility for Gnu/Linux distributions, MikroTIK and OpenBSD systems are not affected.
The confirmed list so far include the following devices:
- Cisco ASA 5506, 5515, 5525 , 5540 (default settings)
- Cisco 6500 routers with SUP2T and Netflow v9 on the inbound interface – 100% CPU load
- Cisco ASA 5550 (Legacy) and 5515-X (latest generation)
- Cisco Router 897 – Can be mitigated
- Cisco ASA Series
- SonicWall – Misconfiguration can be changed and mitigated (Enable Anti-DDOS)
- Some unverified Palo Alto devices
- Palo Alto 5050 Firewalls with firmware 7.1.4-h2
- Zyxel NWA3560-N (Wireless attack from LAN Side)
- Zyxel Zywall USG50
Palo Alto Networks have stated that their customers are affected by BlackNurse only in very-specific and non-default scenarios that are not aligned with the security best practices. For further information read their statement here.
The research so far shows that the Cisco ASA firewall 55xx series are the most vulnerable. They suffer to the attack even if all ICMP traffic is disabled. Cisco was made aware of the vulnerability however it has not classified it as a security flaw.
Further Details About BlackNurse
A specialist web site has been created to study the threat and provide detailed information. The security experts who operate it have created a way that allows network administrators to check if they are vulnerable to BlackNurse.
The best way to test if your systems are vulnerable, is to allow ICMP on the WAN side of you firewall and do some testing with Hping3. When attacking the outside wan, try to do some internet surfing from the inside and out. In our test we used an Ubuntu installation with Hping3 installed. When testing, you have to be able to reach outbound internet speed of at least 15-18 Mbit/s.
Use Hping3 with one of the following commands:
hping3 -1 -C 3 -K 3 -i u20
hping3 -1 -C 3 -K 3 –flood
Based on our test, we know that a reasonable sized laptop can produce approx. a 180 Mbit/s DoS attack with these commands. We have also made tests using a Nexus 6 mobile phone with Nethunter/Kali which only can produce 9.5 Mbit/s and therefore cannot single-handedly perform the BlackNurse attack.
The TDC security team has also released a ruleset for the SNORT intrusion detection software that is used to detect BlackNurse:
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”TDC-SOC – Possible BlackNurse attack from external source “; itype:3; icode:3; detection_filter:track by_dst, count 250, seconds 1; reference:url, soc.tdc.dk/blacknurse/blacknurse.pdf; metadata:TDC-SOC-CERT,18032016; priority:3; sid:88000012; rev:1;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:”TDC-SOC – Possible BlackNurse attack from internal source”; itype:3; icode:3; detection_filter:track by_dst, count 250, seconds 1; reference:url, soc.tdc.dk/blacknurse/blacknurse.pdf; metadata:TDC-SOC-CERT,18032016; priority:3; sid:88000013; rev:1;)
For more information you can access the BlackNurse site here.