Short Bytes: The researchers from TDC Security Operations Center have found an attack named BlackNurse. It allows an attacker with modest resources to target large firewalls and servers. The BlackNurse attack is based on low-volume ICMP-based traffic.Back in the 1990s, people were able to crush another person’s dial-up internet connection by simply using a few ping commands. A similar type of denial of service attack is back to cripple modern day firewalls and take down large servers. Named BlackNurse, this attack mechanism is based on a low-volume (ICMP)-based attack on vulnerable firewalls, targeting the ones made by Cisco, Zyxel, SonicWall and others. For those who don’t know, ICMP is the protocol used by the routers and network devices to send/receive error messages.
Researchers from Denmark’s TDC Security Operations Center have recently discovered this simple attack that uses limited resources. They found that even the attacks with low traffic speed and packets per second, commonly called a ‘ping flood attack’, were able to cease the operations of their customers.
The BlackNurse attack uses Type 3 ICMP packets with a code of 3. After achieving a threshold of 15-18 Mbps, the target firewalls drop massive packets and the server behind the device becomes unable to talk to the internet.
In the tests, the researchers found out that only a single modest laptop was enough to deliver 180 Mbps BlackNurse volumes. “It does not matter if you have a 1 Gbit/s Internet connection. The impact we see on different firewalls is typically high CPU loads,” the researchers state.
More details on specific models of affected devices can be found here.
Palo Alto Networks has issued its advisory and called its devices vulnerable only in very specific scenarios that contravene best practices. On the other hand, Cisco has refused to consider it a security threat.
Have something else to add? Don’t forget to drop your views in the comments section below.