You may have heard some of the buzz earlier this month about TDC engineers who recently discovered a new threat they’re calling “BlackNurse.”
What is BlackNurse?
BlackNurse attacks, aka the “Ping of Death,” is a denial of service (DoS) attack that can be used to bring down large servers and firewalls, with only a laptop and a bit of bandwidth.
Essentially, the attacker sends Internet Control Message Protocol (ICMP) packets, otherwise known as “pings,” that will overwhelm servers protected by certain firewalls. The specific protocol typically associated with a “ping flood attack” is Type 3 ICMP packets with a code of 0, however BlackNurse is Type 3 ICMP packets with a code of 3, which, according to this technical report, are “packet replies typically returned to ping sources when the destination port of a target is ‘unreachable.”‘
How is this different than other DDoS and DoS attacks?
According to TDC Security Operations Center, BlackNurse is highly effective, even using low bandwidth. Rather than simply flooding the server with packets, such as the DDoS attack back in October, the hacker can cause a Denial of Service (DoS) state by “overloading the CPUs of certain types of server firewalls.” It doesn’t really matter how much capacity the network contains.
Which products does BlackNurse affect?
- Cisco ASA 5506, 5515, 5525 (default settings)
- Cisco ASA 5550 (legacy) and 5515-X (latest generation)
- Cisco Router 897 (can be mitigated)
- SonicWall (misconfiguration can be changed and mitigated)
- Some unverified Palo Alto
- Zyxel NWA3560-N (wireless attack from LAN side)
- Zyxel Zywall USG50
What can be done about it?
While it can temporarily slow down or disable the servers, this type of attack can be mitigated, and several companies have issues individual statements regarding how to deal with the problem:
Click here for Cisco.
Click here for NETRESEC.
Click here for Sans Institute.
Click here for Palo Alto.