BlackNurse Denial of Service Attack

1
539

BlackNurse Denial of Service Attack

Remember the days back in the 90s when you could cripple someones Internet connection simply by issuing a few PING command like “ping -t [target]”? This type of attack was only successful if the victim was on a dial-up modem connection. However, it turns out that a similar form of ICMP flooding can still be used to perform a denial of service attack; even when the victim is on a gigabit network.”

The Danish internet service provider TDC’S SOC team reported that flooding network devices is getting more popular than flooding the uplinks. During one of their attack analysis, they realized that flooding some of their customer’s devices with ICMP  packets  can disturb operations of the customers. They called this attack as BlackNurse Denial of Service Attack.  But, it is not similar with the conventional ICMP flood attack,though it is based on ICMP Type 3, Code 3 packets by using very low bandwidth.

When I heard about BlackNurse first time, it sounded so unreasonable 🙂 After doing some researches on test environment, the devices became unstable so transit traffic affected from the attack.

Another strange point is that it is not a vendor specific attack vector. As seen from affected product list below, there are several vendors suffering from Black Nurse.

How to Attack

TDC’S SOC team suggest to use hping3  with following command;

It generates approximately 16kpps and 24 Mbps ICMP traffic with dual core workstation.

I use MZ (Mausezahn) which is free raw packet generator “written in C which allows you to send nearly every possible and impossible packet” with following parameters.

If your attack is successful, your management connection to the device will be down. That’s why, do not forget to add –count parameter with a definite count value.

Observations

By using MZ command that shared above, we observed 40kpps packet rate with an amount of 48 Mbps bandwidth.

We did two tests; one of them aimed to directly assigned IP address of the device, the other one was to aim NAT IPs on the device.

In spite of low volume, the results are very surprising as follows. The device started to struggle for 3-5 seconds, then it dropped transit traffic that is passing through it.

Picture1-Observation of BlackNurse Attack
Picture 1-Observation of BlackNurse Attack

Attack Surface

  • Check Point Devices

    Check Point reported that Check Point Security Gateways are not vulnerable to the “BlackNurse” attack.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114500

  • Fortigate Devices

    On http://blacknurse.dk/ website, it is said that 60c and 100D units and  FortiOS v5.4.1 are affectted even with drop ICMP configuration. On the contrary, vendor side reported that FortiDDoS architecture can beat the attack even if an attacker changes the script to another combination of these types and codes.  If someone had already tried it, please share the results with me.

https://blog.fortinet.com/2016/11/14/black-nurse-ddos-attack-power-of-granular-packet-inspection-of-fortiddos-with-unpredictable-ddos-attacks

Mitigation

  • Palo Alto

    There are two ways to protect the device from being hit. One of them is enabling a Zone Protection Profile and appyling it to the ingress zone. Second one is to configure DDoS Protection Policy as Palo Alto advised in their reseach center.

I just had a chance to test DDoS protection policy. It can be easily applied to zones without any service interruption as follows.

Gallery 1 – How to Create and Apply DDoS Protection on Palo Alto

After enabling DDoS protection policy, we regenerate the attack scenario and observed from Palo Alto threat monitoring tab from web interface as follows.

Picture 3 - Monitoring Device Behaviour from Threat
Picture 2 – Monitoring Device Behaviour from Threat

The important point is that, the attacks which are coming to the directly connected interfaces of the device handled by Police engine as Untrust-to-Untrust traffic. That’s why do not forget to assign a Ddos protection policy from Untrust Zone to Untrust Zone.

Picture 2 - Monitoring Blocked
Picture 3 – Monitoring Blocked Packets by Policy Engine
  • By Using Snort Rules

I haven’t test other vendors like Juniper, Fortigate and Cisco yet. As soon as I test, I will share from here.

 

UPDATE

Mitigating Black Nurse on Fortigate and Cisco is following.

http://namitguy.blogspot.com.tr/2016/11/mitigating-blacknurse-exploit-on-cisco.html

If you have any suggestion or comment, kindly do not hesitate to ask me  from [email protected] or by leaving comment.

 

*http://www.netresec.com/?page=Blog&month=2016-11&post=BlackNurse-Denial-of-Service-Attack 

*http://soc.tdc.dk/blacknurse/blacknurse.pdf

1 COMMENT

LEAVE A REPLY