The BlackNurse DDoS technique has been uncovered, which lets hackers take down firewalls and servers from a laptop.
BlackNurse targets vulnerable firewalls made by Cisco, PaloAlto and others, in what’s known as a "ping flood attack.” The traffic speed and packets per second are very low, but the offensive is still capable of taking down networks. In fact, an average laptop can produce about a 180Mbps DDoS attack.
“BlackNurse is an attack based on continuously sending a specific ICMP packet vulnerable network device,” explained Ben Herzberg, security group research manager for the Incapsula product line at Imperva, in an email. “The special thing about BlackNurse, unlike other denial of service attacks, is that it doesn’t have to be distributed. That’s because low bandwidth, which can be sent from almost any personal computer, is sufficient to result in high CPU usage on the victim side, causing a denial of service for legitimate traffic.”
In most vulnerable devices, this is not about router misconfiguration, but a router vulnerability, based on the high CPU resources that a router has to allocate to handle these ICMP Type 3 Code 3 packets, he added.
“Some of the devices, though, can be configured to handle the attack (either by setting rate limits, enabling built-in ICMP flood DDoS protection or changing other settings, depending on the device),”said Herzberg.
As for mitigation, he argued that dropping all ICMP packets is generally a bad idea.
“In my opinion, the disagreement originates from different legitimate traffic behavior in different enterprises,” he said. “As a rule of thumb, setting a rate limit for this sort of packets is much better than just blocking them all. The best way to avoid false dropping of legitimate ICMP Type 3 Code 3 would be to analyze the enterprise’s legitimate traffic and set a rate limit accordingly.”
Photo © kentoh