BlackNurse DDoS Attacks Are Small But Mighty.

Uploaded on 2016-11-23 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

BlackNurse is a revolutionary technology in the field of cyber-attacks. Hackers only need one laptop and minimal data to perform a DoS (denial of service) attack.

The BlackNurse attacks target Cisco, SonicWall, Palo Alto and Zyxel firewalls. This method requires small resources to bring down large servers offline.

The Security Operations Center of Danish telecom operator TDC did research on the BlackNurse attacks and wrote a report, detailing their technological aspects and their severity. The researchers highlighted that the method uses low bandwidth Internet Control Message Protocol (ICMP). They explained that BlackNurse “is capable of doing a denial of service to well-known firewalls”. The unusual aspect is that a hacker needs a simple device and a small amount of data to initiate an attack.

The TDC experts shared their observations on the method: “The BlackNurse attack attracted our attention, because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers’ operations down. This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack.”

The BlackNurse technology utilises ICMP Type 3 Code 3 “port unreachable” messages to attack a server. The goal of these messages is to overload the firewall’s CPU. As the research team wrote: “Based on our test, we know that a reasonable sized laptop can produce approx. a 180 Mbit/s DoS attack with these commands”. This leads to the conclusion that a laptop has enough resources to exert the amount of CPU which would put the targeted server in a DoS state.

The researchers explained how the BlackNurse method performs DoS attacks using a low bandwidth connection of 15 to 18 Mbps. “This is to achieve the volume of packets needed which is around 40 to 50K packets per second. It does not matter if you have a 1 Gbit/s Internet connection. The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the LAN site will no longer be able to send/receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops.”

The TDC team managed to determine which devices are vulnerable to the BlackNurse attacks. The list is as follows:

Cisco ASA 5506, 5515, 5525, Cisco ASA 5550 and 5515-X Cisco Router 897. Some unverified Palo Alto SonicWall. Zyxel NWA3560-N and Zyxel Zywall USG50

The security specialists summed up their findings by pointing out that a certain type of device is most vulnerable to BlackNurse attacks. “We see the Cisco ASA firewall 55xx series to have the biggest problems. Even if you deny all ICMP traffic to the firewalls, they still suffer from the DOS attack, with as little as 4Mbit of traffic.”

TDC listed mitigations and SNORT IDS rules to assist users in detecting BlackNurse attacks. Another source of advice people can use is a post on GitHub, published by a security engineer for OVH. The technician provided a proof-of-concept (PoC) code which allows users to check if their device is vulnerable to BlackNurse attacks.

Independent software developers NETRESEC also made a contribution to the research efforts on the BlackNurse technology. They issued a blog post, titled “The 90’s called and wanted their ICMP flood attack back”. The publication outlines the risk of granting permission for ICMP unreachable message Type 3 while acknowledging TDC’s report. There is a conflict between the Cisco ASA 5500 manual, which recommends giving permission, and the analysis of TDC, which advises denying “ICMP Type 3 messages sent to the WAN interface of Cisco ASA firewalls to prevent the BlackNurse attack.”

Palo Alto also addressed TDC’s findings. To help users combat against the BlackNurse attacks, they issued an advisory and list of recommendations post.

The SANS Internet Storm Center are offering updates regarding the BlackNurse attacks to help users deal with the threat.

VirusGuide:             DDoS: Deceptive Denial Attacks:

 

« Four Amazing Cybersecurity Facts
New Business Protection From Cyber Attackers »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

DeviceLock

DeviceLock

DeviceLock is a leading provider of endpoint device/port control and data leak prevention software.

National Authority Against Electronic Attacks (NAAEA) - Greece

National Authority Against Electronic Attacks (NAAEA) - Greece

The National Authority Against Electronic Attacks (NAAEA) is the national computer emergency response team of Greece.

Cybonet

Cybonet

Cybonet provides easy to deploy, flexible and scalable security solutions that empower organizations of all sizes to actively safeguard their networks in the face of today’s evolving threats.

Iceberg

Iceberg

Since 2016, Iceberg has redefined how businesses approach hiring in the Cybersecurity and eDiscovery space.

Cyacomb

Cyacomb

Cyacomb (formerly Cyan Forensics) provides digital forensics software to help police forces find evidence on computers many times faster than before.

Swiss Cyber Think Tank (SCTT)

Swiss Cyber Think Tank (SCTT)

The Swiss Cyber Think Tank is a business network for Cyber Risk & Insurability, providing an industry-wide networking platform for insurers, technology and security firms.

RCMP National Cybercrime Coordination Unit (NC3)

RCMP National Cybercrime Coordination Unit (NC3)

As set out in the Government of Canada's National Cyber Security Strategy, the RCMP has established the National Cybercrime Coordination Unit (NC3).

Webtotem

Webtotem

Webtotem's mission is to prevent the global epidemic of website infection and provide every website owner with basic security rights.

Mendoza Ventures

Mendoza Ventures

Mendoza Ventures is a venture capital fund focusing on pre-seed Artificial Intelligence (AI), Fintech, and Cybersecurity startups.

Intelligent CloudCare

Intelligent CloudCare

Intelligent CloudCare, a division of IPS, is a full IT Services provider serving the needs of SMBs in the metropolitan New York City region.

SeeMetrics

SeeMetrics

SeeMetrics is an automated cybersecurity performance management platform that integrates security data and business objectives into a simple interface.

Three Wire Systems

Three Wire Systems

Three Wire is a leader in innovative and efficient technology solutions for government agencies and large enterprise corporations.

Comcast Technology Solutions (CTS)

Comcast Technology Solutions (CTS)

Comcast Technology Solutions delivers proven technologies for global video, media, communications, data applications, and cybersecurity & compliance.

Onum

Onum

Onum helps security and IT leaders focus on the data that's most important. Gain control of your data by cutting through the noise for deep insights in real time.

IT-Schulungen.com / New Elements GmbH

IT-Schulungen.com / New Elements GmbH

Under the name IT-Schulungen.com, the Nuremberg-based New Elements GmbH has been operating one of the largest training centres in the German-speaking world for over 20 years.

Hughes Network Systems

Hughes Network Systems

Hughes are industry leaders in networking technologies and services, innovating constantly to deliver the global solutions that power a connected future for people, enterprises and things everywhere.