agsandrew - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

BlackNurse hits big routers with low-volume denial-of-service attack

Researchers claim 'BlackNurse,' a low-volume ICMP denial-of-service attack, can allow a laptop to bring down routers and firewalls with as little as 4 Mbps of malicious packets.

BlackNurse, the newest branded vulnerability, is a denial-of-service attack that researchers claim can take down firewalls and routers with as little as 15 to 18 Mbps of malicious ICMP packets.

The attack abuses Internet Control Message Protocol (ICMP) Type 3 Code 3 "port unreachable" messages, and has been reported to work against several Cisco routers, as well as routers and firewalls from other vendors including ZyXEL, Sonicwall and Palo Alto Networks. Security researchers Lenny Hansson and Kenneth Jørgensen, who discovered the vulnerability, claim the attack can disrupt Cisco ASA 55xx routers with as little as 4 Mbps.

"We see the Cisco ASA firewall 55xx series to have the biggest problems. Even if you deny all ICMP traffic to the firewalls, they still suffer from the [denial-of-service (DOS)] attack, with as little as 4Mbit of traffic," the researchers wrote on the BlackNurse website.

The TDC researchers wrote that mitigating a BlackNurse attack could be as simple as configuring a whitelist "of trusted sources for which ICMP is allowed could be configured. Disabling ICMP Type 3 Code 3 on the WAN interface can mitigate the attack quite easily. This is the best mitigation we know of so far."

The source of the problem is still unclear, though the researchers believe the vulnerability is based on how devices handle packets. "We have right now only seen this in hardware-based firewalls, where packets are sent directly to CPU," Hansson and Jørgensen told SearchSecurity by email.

However, not everyone agrees about the threat from BlackNurse. It is still unclear why these particular ICMP packets require so much processing from the CPU, wrote Johannes Ullrich, dean of research at SANS Technology Institute, in a blog post. "In my opinion, this is likely due to the firewall attempting to perform stateful analysis of these packets. ICMP unreachable packets include as payload the first few bytes of the packet that caused the error. A firewall can use this payload to determine if the error is caused by a legit packet that left the network in the past. This analysis can take significant resources."

"This issue is not vendor-specific, and the attack does not exploit a security vulnerability," Cisco wrote in a statement to SearchSecurity, downplaying the threat. "In the event of an attack, the mentioned ASA devices continue to enforce the configured security policy, and there is not a compromise. For the select ASA firewalls noted in this study, protection against DoS threats is multilayered, and we work with our customers to ensure the DoS security is accounted for further upstream in the network as a best practice."

Palo Alto Networks issued a note to its customers about the BlackNurse attack, stating "We have conducted an investigation into this issue and to date have found that Palo Alto Networks Next-Generation Firewall customers can only be affected in very specific, non-default scenarios that contravene best practices."

Palo Alto suggested best practices for its customers to protect against BlackNurse, including configuring a DoS protection profile to protect against flooding of ICMP and ICMPv6 packets, but the company also warned that flooding attacks can use any protocol type.

"You don't need a lot of bandwidth to carry out the attack," Hansson and Jørgensen told SearchSecurity, noting that combining BlackNurse with a botnet, like the Mirai DDoS botnet, which devastated the Dyn DNS service last month, could spell trouble because it is practical to execute the attack from IoT devices. "We have seen as little as 4 [Mbps] to DoS a Cisco device. IoT devices from small uplinks can come into play from botnets. This means that a botnet like Mirai would be able to attack more targets at once. This can be more devastating than a single attack of 1 TBps on one target."

As for the source of the attacks, the researchers said: "Right now we have seen this used from what we believe can be some sort of DDOS-service. This is based on the mix of attack types we see hit our customers."

Next Steps

Find out more about how ICMP is used, and how to keep it from being misused.

Learn about how ping uses ICMP to help test network connections.

Read about how the internet of things enabled massive DDoS bandwidth  to take down DNS firm Dyn's servers.

Dig Deeper on DDoS attack detection and prevention