All it takes is a single laptop
All it takes is a single laptop

The BlackNurse Denial of Service attack can disrupt the largest of enterprises, behind high-end firewalls, using just a single laptop to carry it out. According to the researchers who uncovered the technique, it has reduced the infrastructure requirement to succeed with DoS attacks.

As the Firemon sponsored study by the Aberdeen Group ‘Quantifying the value of intelligent security management' warns: “The increasingly complex problem of firewall sprawl introduces operational showdowns and security risk to many enterprises today.”

If proof that lack of proper firewall management is a security catastrophe waiting to happen were needed, along comes BlackNurse. According to multiple reports the BlackNurse DoS attack can disrupt high-end network hardware and take your business offline from just a single attacking laptop.

TDC Security Operations Center, which first discovered the attack mode, says the BlackNurse attack can keep enterprise operations down despite the traffic speed and packets per second rate being very low. Even customers with large enterprise firewalls in place were being impacted. “We had expected that professional firewall equipment would be able to handle the attack,” a TDC SOC spokesperson says.

So how does the BlackNurse attack work? SCMagazineUK.com spoke to Paul Ducklin, senior technologist at Sophos, who started the conversation by telling us that BlackNurse isn't really an attack at all. “It's more of a reminder of why DDoSes work,” Ducklin explained. “If you bombard a single network port on a single router with lots of packets, you force the router to do extra work.” It's that extra work that steals some of the router's performance away from legitimate users, and thus legitimate traffic gets held up in the snarl.

“Unfortunately, if you pick your time-wasting packets carefully,” Ducklin continues, “you may be able to find some router models that do even more extra work than others to dispose of your malicious traffic.”

It's at this point that you can cause additional harm to those specific routers by picking the content that makes them work hardest. In the case of BlackNurse, the extra harm traffic is comprised of Internet Control Message Protocol (ICMP) packets.

“The attack is triggered by a limited volume of 15-18Mbps, about 40 to 50 [thousand] packets per second, of ICMP Type 3 Code 3 (port unreachable) packets,” says Radware EMEA security evangelist Pascal Geenens. “The impact on vulnerable firewalls is typically high CPU loads causing the devices to stop forwarding packets or creating new sessions.”

Most ICMP ‘ping flood attacks' are based on ICMP Echo (Type 8 Code 0) which deny service through excessive bandwidth. BlackNurse is different in that it only needs a very limited bandwidth to work.

ICMP ping floods don't usually work as firewalls are configured to block ping and traceroute (ICMP Type 0,8 and 11) but Type 3 (destination unreachable) is required for keeping hosts working on the network. RFC 1812 requires those destination unreachable messages in fact.

Opinion appears split in the industry whether dropping all ICMP packets is a bad idea or not. Ben Herzberg, security group research manager for the Incapsula product line at Imperva, says that when it comes to dropping ICMP Type 3 Code 3, “as a rule of thumb, setting a rate limit for this sort of packets is much better than just blocking them all.”

However, Stephen Gates, chief research intelligence analyst at NSFOCUS, says, “If enterprises possess a vulnerable firewall, they're likely to go offline if they come under this type of attack, unless they block all incoming ICMP.”

Dr Malcolm Murphy, the technology director for Western Europe at Infoblox, advises, “If you have vulnerable devices, the steps to take vary depending on what firewall you've got: Palo Alto recommend turning on a feature called DOS flood protection; other firewalls may have similar features.  Alternatively, you could rate limit incoming ICMP traffic, or restrict the ICMP type 3 code 3 messages that BlackNurse exploits.”

Meanwhile, Sean Newman, director at Corero Network Security, perhaps unsurprisingly suggests that “it's trivial for DDoS protection to block the attack” and BlackNurse is “just another example of why DDoS protection needs to be treated separately from other networking functions”.

To conclude, Diogo Mónica, IEEE member and security lead at Docker, insists that enterprises should “buy routers that have been tested under load before they put it in production.”

A stance that we find it very hard to argue with, truth be told…