Jump to content

Welcome to nsane.forums

Welcome to nsane.forums, like most online communities you need to register to view parts of our community or to make contributions, but don't worry: this is a free and simple process that requires minimal information. Be a part of nsane.forums by signing in or creating an account.

  • Access special members only forums
  • Start new topics and reply to others
  • Subscribe to topics and forums to get automatic updates

 

Please note: Unfortunetely due to some server side issues, registration via Hotmail / Outlook email addresses do not work, members are requested to use some other email addresses like Gmail to register here.


Sign in to follow this  
Batu69

BlackNurse Low-Volume DoS Attack Targets Firewalls

Recommended Posts

Batu69    18,607
Batu69

shutterstock_228924541

 

A type of denial of service attack relevant in the 1990s has resurfaced with surprising potency against modern-day firewalls. Dubbed a BlackNurse attack, the technique leverages a low-volume Internet Control Message Protocol (ICMP) -based attack on vulnerable firewalls made by Cisco, Palo Alto, SonicWall and others, according to researchers.

 

TDC Security Operations Center, a security firm that published a technical report (PDF) on BlackNurse this week, said the attack is more traditionally called a “ping flood attack.” In this type of assault, traffic volume doesn’t matter as much as the type of packets sent, researchers said.

 

In a description of BlackNurse, an attacker causes a Denial of Service (DoS) state by overloading the firewall’s host CPU. “When an attack is ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the Internet,” according to TDC.

 

It’s unclear why the ICMP Type 3 Code 3 requests overload firewall’s CPU. However, researchers at SANS Internet Storm Center believe it’s tied to firewall logging. It’s a theory bolstered by TDC’s own description of the impact of the attack.

 

“Firewall logging during the attack can increase the impact from the attack, which means that the firewall gets even more exhausted,” TDC wrote.

BlackNurse attacks are similar to, but not to be confused with, related ICMP Type 8 Code 0 attacks, also called a ping flood attack, according to TDC. “ICMP based attacks in general are a well-known attack type used by some DDoS attackers,” TDC wrote. Researchers explain:

“The BlackNurse attack attracted our attention, because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers’ operations down. This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack.”

Noteworthy, BlackNurse DoS attack volume intensity hovers between a paltry 15 to 18 Mbps (or 40 to 50K packets per second), according to researchers. That’s in stark contrast to the 1 Tbps DDoS attack recorded against DNS provider Dyn last month.

 

The low volume DDoS attack is effective because the goal is not to flood the firewall with useless traffic, but rather to drive high CPU loads. To that end many firewall vendors protect against ICMP-based attacks. But blocking all ICMP types and codes isn’t an option, for fear that something will likely to break down, TDC said.

 

In fact, security firm NetreseC points out in an analysis of BlackNurse that Cisco warns: “We recommend that you grant permission for the ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic.”

 

As for vulnerable firewalls, TDC singles out some Cisco ASA firewalls. According to a SANS Internet Storm Center report on BlackNurse, Cisco firewalls that are newer, larger and are multi-core appear to be fine. However, SonicWall and some Palo Alto firewalls appear to be vulnerable, according to Johannes Ullrich, dean of research at SANS Technology Institute and author of the SANS ISC post.

 

Cisco, SonicWall and Palo Alto were contacted for this report, but did not reply.

Testing for BlackNurse, suggests TDC, includes allowing ICMP on the WAN side of a firewall and conducting tests with the tool Hping3, a free packet generator and analyzer for the TCP/IP protocol. Detection includes adopting SNORT IDS/IPS rules to spot the attack, according TDC which outlines its own rules.

 

Mitigation includes creating a “list of trusted sources for which ICMP is allowed and could be configured” and “disabling ICMP Type 3 Code 3 on the WAN interface,” TDC said.

 

Article source

Share this post


Link to post
Share on other sites
UnknownOne    106
UnknownOne

a misconfigured system may have a log that would keep growing also causing memory to be consumed completely (sometimes).. in a router or other similar devices lack or storage space would also cause issues.. high cpu, memory exhaustion and space exhaustion. oh dear.. i think they should just ditch ipv4, and begin to just use ipv6.. most tools for ipv6 are private instead of everywhere.. ;)

Edited by UnknownOne

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

×