A type of denial-of-service (DoS) attack that targets firewalls from a number of vendors including Cisco, Palo Alto and SonicWall was found to have resurfaced earlier this month. Unlike other DoS attacks that rely on pounding machine or network resource with large amounts of traffic, BlackNurse doesn't require much bandwidth at all. Researchers have shown that BlackNurse will work with less than 20Mbps of traffic and is effective even against large enterprise firewalls. For IT administrators who want to test for and mitigate against this kind of attack on their organisation, here are the the instructions.
BlackNurse is what is traditionally known as a "ping flood attack", which was effective in the '90s. The reason why it's effective against firewalls is because it has less to do with the volume of traffic going through the pipe but rather the type of packets that are sent.
Danish telecom operator TDC researchers looked into BlackNurse earlier this month and found that it used Internet Control Message Protocol (ICMP) Type 3 Code 3 requests, which typically returns to ping sources to indicate that the destination port is unreachable, to overload the target firewall's host CPU.
The reason why BlackNurse was particularly concerning for TDC was because this type of attack was found to be effective even against its customers with large internet uplinks and enterprise firewalls in place: "We had expected that professional firewall equipment would be able to handle the attack."
How To Test To See If You're Vulnerable To BlackNurse
For IT administrators, you can test to see whether your system is vulnerable by allowing ICMP on the WAN side of your firewall. You can simulate a BlackNurse attack with hping3, a command-line tool used for network testing. For the tests, you need to be able to reach outbound internet speeds of at least 15-18Mbps. Then you can use one of the following hping3 commands:
hping3 -1 -C 3 -K 3 -i u20
hping3 -1 -C 3 -K 3 --flood
The TDC researchers were able to launch a 180Mbps DoS attack with the commands on a "reasonable sized laptop".
During the test, you should try to browse the internet from the LAN side of the firewall and keep an eye out on the CPU load of your firewall. TDC researchers said:
"Firewall logging during the attack can increase the impact from the attack, which means that the firewall gets even more exhausted. We also believe that many firewalls with a single CPU is more likely to get exhausted faster than firewalls with two or more CPUs."
How To Mitigate BlackNurse Attacks
Here's what TDC recommends as a method to reduce the impact of a BlackNurse attack:
"On firewalls and other kinds of equipment a list of trusted sources for which ICMP is allowed could be configured. Disabling ICMP Type 3 Code 3 on the WAN interface can mitigate the attack quite easily. This is the best mitigation we know of so far."
Bear in mind that Cisco's default recommendation for its firewall configuration is to grant permission for ICMP Type 3, but TDC suggests that this may leave firewalls vulnerable to BlackNurse.