Overload firewalls from a laptop (but also from a mobile phone!)


When it comes to launching successful DDoS attacks, the equation is a simple:

more traffic and more devices generating that traffic = more chance of knocking down a server.

But recently researchers at TDC Security Operations Center (a Danish security firm) have discovered a new attack technique that lone attackers with limited resources can be used to take large servers offline.

The technique, named “BlackNurse”, an be used to launch several low-volume DoS attacks by sending specially formed ICMP packets that overwhelm the processors on server protected by firewalls from multiple vendors.

Products Affected

  • Cisco ASA 5506, 5515, 5525
  • Cisco ASA 5550 and 5515-X
  • Cisco Router 897
  • SonicWall
  • Some unverified Palo Alto
  • Zyxel NWA3560-N
  • Zyxel Zywall USG50

… and probably many more!

The attack

The attack is more traditionally known as a “ping flood attack” and is based on ICMP Type 3 (Destination Unreachable) Code 3 (Port Unreachable) requests.

By sending this type of ICMP, an attacker can cause a Denial of Service state by overloading the CPUs of certain types of server firewalls, regardless of the quality of internet connection:

Low bandwidth is in this case around 15–18 Mbit/s. This is to achieve the volume of packets needed which is around 40 to 50K packets per second. It does not matter if you have a 1 Gbit/s Internet connection.

The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops.

Test your devices

From blacknurse.dk:

The best way to test if your systems are vulnerable, is to allow ICMP on the WAN side of you firewall and do some testing with Hping3.

Use Hping3 with one of the following commands:

hping3 -1 -C 3 -K 3 -i u20 <target ip>
hping3 -1 -C 3 -K 3 — flood <target ip

Based on our test, we know that a reasonable sized laptop can produce approx. a 180 Mbit/s DoS attack with these commands. We have also made tests using a Nexus 6 mobile phone with Nethunter/Kali which only can produce 9.5 Mbit/s and therefore cannot single-handedly perform the BlackNurse attack.

A fast mitigation?

The researcher has published the following Snort/IPS rules for detecting Type 3 Code 3 flooding:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”TDC-SOC — Possible BlackNurseattack from external source “; itype:3; icode:3; detection_filter:track by_dst, count 250, seconds 1; reference:url, soc.tdc.dk/blacknurse/blacknurse.pdf; metadata:TDC-SOC-CERT,18032016; priority:3; sid:88000012; rev:1;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:”TDC-SOC –Possible BlackNurse attack from internal source”; itype:3; icode:3; detection_filter:track by_dst, count 250, seconds 1; reference:url, soc.tdc.dk/blacknurse/blacknurse.pdf; metadata:TDC-SOC-CERT,18032016; priority:3; sid:88000013; rev:1;)

References and papers

[embed]http://blacknurse.dk/[/embed]
https://soc.tdc.dk/blacknurse/blacknurse.pdf[embed]http://blacknurse.dk/[/embed]