BlackNurse Attack lets ONE laptop knock big servers offline
Whenever we hear about a Distributed Denial of Attack (DDoS), we think that thousands if not millions of zombie computers or Internet of Things connected devices (as the latest Dyn case shows) were effectively sending huge packets of data to crash the particular website or service. It is generally assumed that DDoS tools or stressers as they are known need thousands of zombies to conduct a massive attack which can bring down a DDoS protected website. However, new research proves that a new attack uses a SINGLE laptop to conduct a massive DDoS attack which can bring down a highly protected server offline.
Security researchers from Denmark-based TDC Security Operations Center have dubbed the new attack technique BlackNurse. BlackNurse attack uses very limited resources to knock large servers offline when they’re protected by certain firewalls made by Cisco Systems and other manufacturers.
The BlackNurse attack makes it easier for cyber criminals to mount a simple denial-of-service attack against a website using as little as 15 megabits, or about 40,000 packets per second, to sever the Internet connection of vulnerable servers. Imagine what BlackNurse attack could have done if it was used in the recent Dyn attack. To put things in perspective, the unknown hackers who brought down the entire Internet to the Mid-West and the Eastern United States on 21st October apparently used IoT botnets and sent useless data packets of 1 Terabyte per second to wreak havoc and knock services like Reddit, Twitter, Spotify, etc. offline.
In a blog post published Wednesday, the researchers wrote:
The BlackNurse attack attracted our attention, because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers’ operations down. This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack.
How does BlackNurse use a single laptop to mount a massive DDoS attack
The researchers found out that BlackNurse attack uses the message loophole Internet Control Message Protocol, which routers and other networking devices use to send and receive error messages. Since there is not protection or limit to the ICMP sending or receiving such messages, BlackNurse attack leverages it by sending a special type of ICMP packets—specifically Type 3 ICMP packets with a code of 3 which the hackers can use to bring unwanted load on CPUs and servers protected by Cisco and other company made Firewalls.
During their researcher, they found out that after reaching a threshold of 15 Mbps to 18 Mbps, the targeted firewalls drop so many packets that the server driving it offline.
Using the same dud ICMP packets, the researchers conducted a BlackNurse attack using a SINGLE LAPTOP by sending in just 180 Mbps and brought down a server.
It does not matter if you have a 1 Gbit/s Internet connection. The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the [local area network] site will no longer be able to send/receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops.
BlackNurse attack fears
The worrying thing is that the researchers found out BlackNurse attack was being used in the wild. They have already discovered about 95 such DDoS attacks in the past two years. The report didn’t say if the ICMP attacks were based on the newly discovered BlackNurse attack or a previously known ICMP attack that delivers Type 8 packets with a code of 0.
Mitigation against BlackNurse attack
According to researchers from Netresec, a security firm that collaborated with TDC Security on the research, the attack works only against servers using firewalls from Cisco Systems, Palo Alto Networks, SonicWall, and Zyxel. The researchers have given the specific models which are vulnerable to BlackNurse attack on this blog post. Palo Alto Networks has issued its
One of the affected Firewall makers, Palo Alto Networks has issued its own advisory that reports company devices are only vulnerable in “very specific, non-default scenarios that contravene best practices.”
Cisco surprisingly doesn’t consider the BlackNurse attack as a security issue though it has not justified why. The Sans Institute has its own brief write-up of the attack here.