BlackNurse DDoS Attacks Are Small But Mighty.

BlackNurse is a revolutionary technology in the field of cyber-attacks. Hackers only need one laptop and minimal data to perform a DoS (denial of service) attack.

The BlackNurse attacks target Cisco, SonicWall, Palo Alto and Zyxel firewalls. This method requires small resources to bring down large servers offline.

The Security Operations Center of Danish telecom operator TDC did research on the BlackNurse attacks and wrote a report, detailing their technological aspects and their severity. The researchers highlighted that the method uses low bandwidth Internet Control Message Protocol (ICMP). They explained that BlackNurse “is capable of doing a denial of service to well-known firewalls”. The unusual aspect is that a hacker needs a simple device and a small amount of data to initiate an attack.

The TDC experts shared their observations on the method: “The BlackNurse attack attracted our attention, because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers’ operations down. This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack.”

The BlackNurse technology utilises ICMP Type 3 Code 3 “port unreachable” messages to attack a server. The goal of these messages is to overload the firewall’s CPU. As the research team wrote: “Based on our test, we know that a reasonable sized laptop can produce approx. a 180 Mbit/s DoS attack with these commands”. This leads to the conclusion that a laptop has enough resources to exert the amount of CPU which would put the targeted server in a DoS state.

The researchers explained how the BlackNurse method performs DoS attacks using a low bandwidth connection of 15 to 18 Mbps. “This is to achieve the volume of packets needed which is around 40 to 50K packets per second. It does not matter if you have a 1 Gbit/s Internet connection. The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the LAN site will no longer be able to send/receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops.”

The TDC team managed to determine which devices are vulnerable to the BlackNurse attacks. The list is as follows:

Cisco ASA 5506, 5515, 5525, Cisco ASA 5550 and 5515-X Cisco Router 897. Some unverified Palo Alto SonicWall. Zyxel NWA3560-N and Zyxel Zywall USG50

The security specialists summed up their findings by pointing out that a certain type of device is most vulnerable to BlackNurse attacks. “We see the Cisco ASA firewall 55xx series to have the biggest problems. Even if you deny all ICMP traffic to the firewalls, they still suffer from the DOS attack, with as little as 4Mbit of traffic.”

TDC listed mitigations and SNORT IDS rules to assist users in detecting BlackNurse attacks. Another source of advice people can use is a post on GitHub, published by a security engineer for OVH. The technician provided a proof-of-concept (PoC) code which allows users to check if their device is vulnerable to BlackNurse attacks.

Independent software developers NETRESEC also made a contribution to the research efforts on the BlackNurse technology. They issued a blog post, titled “The 90’s called and wanted their ICMP flood attack back”. The publication outlines the risk of granting permission for ICMP unreachable message Type 3 while acknowledging TDC’s report. There is a conflict between the Cisco ASA 5500 manual, which recommends giving permission, and the analysis of TDC, which advises denying “ICMP Type 3 messages sent to the WAN interface of Cisco ASA firewalls to prevent the BlackNurse attack.”

Palo Alto also addressed TDC’s findings. To help users combat against the BlackNurse attacks, they issued an advisory and list of recommendations post.

The SANS Internet Storm Center are offering updates regarding the BlackNurse attacks to help users deal with the threat.

VirusGuide:             DDoS: Deceptive Denial Attacks:

 

« Four Amazing Cybersecurity Facts
New Business Protection From Cyber Attackers »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

E-Tech

E-Tech

E-Tech has been providing system support and information technology consulting services including Internet and Network Security assessments.

BSI Group

BSI Group

BSI is the business standards company that equips businesses with the necessary solutions to turn standards of best practice into habits of excellence

Roka Security

Roka Security

Roka Security is a boutique security firm specializing in full-scale network protection, defending against advanced attacks, and rapid response to security incidents.

RiskLens

RiskLens

RiskLens is a software company that specializes in the quantification of cybersecurity risk.

Napatech

Napatech

Napatech develops and manufactures high speed network accelerators specifically designed for real-time network monitoring and analysis applications.

ANIS

ANIS

ANIS represents the interests of Romanian IT companies and supports the development of the software and services industry.

Anect

Anect

Anect is a leading provider of ICT security and services for hybrid and cloud solutions.

Jenson Knight

Jenson Knight

Jenson Knight is a global cyber security, cloud and IT infrastructure staffing specialist.

Forum of Incident Response & Security Teams (FIRST)

Forum of Incident Response & Security Teams (FIRST)

FIRST is the global Forum of Incident Response and Security Teams.

BrandProtections.Online

BrandProtections.Online

BrandProtections.online offer end-to-end customer support solutions to help protect against threats which may affect your brand online.

Envelop Risk

Envelop Risk

Envelop Risk is a global specialty cyber insurance firm, combining decades of insurance industry expertise with sophisticated cyber and artificial intelligence-based analytics.

Data#3 Limited (DTL)

Data#3 Limited (DTL)

Data#3 Limited (DTL) is a leading Australian IT services and solutions provider.

eCentre@LindenPointe

eCentre@LindenPointe

The eCenter@LindenPointe provides assistance to the development, management and promotion of STEM (Science, Technology, Engineering, Mathematics) related business ventures.

Appknox

Appknox

Appknox is the world’s most powerful plug-and-play security platform that helps developers, security researchers, and enterprises to build a safe and secure mobile ecosystem.

Acclaim Technical Services (ATS)

Acclaim Technical Services (ATS)

ATS provide operational products, services and solutions to the defense and intelligence communities for all types of critical mission needs.

TrueBees

TrueBees

TrueBees is the first deepfakes detector able to detect AI-generated portraits shared on social media and to prevent their diffusion across the web.