HOME

TheInfoList



Click Here for Items Related To - BlackNurse (Computer Security)
OR:
BlackNurse (Computer Security) on:   [Wikipedia]   [Google]   [Amazon]

The BlackNurse attack is a form of
denial of service In computing, a denial-of-service attack (DoS attack) is a cyberattack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host co ...
attack based on ICMP flooding. The attack is special because a modest bandwidth of 20 Mbit/s can be effective for disrupting a victim's network. The attack consists of sending ICMP Destination Unreachable packets to a destination. This works because these packets caused the destination to consume resources at a relatively high rate relative to the traffic.


Discovery

The attack was first discovered by researchers Lenny Hansson and Kenneth Bjerregard Jørgensen at the Security Operations Center of the Danish Telecom operator TDC. The researchers' goal is to protect customers on that telecom network from
DDoS In computing, a denial-of-service attack (DoS attack) is a cyberattack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host co ...
attacks and other cyber threats. The team noted in their release about the attack:
The BlackNurse attack attracted our attention, because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers' operations down. This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack.


DOS attacks

Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. Commonly, such an attack is done in a distributed manner, where many clients will send requests to a given server. The sum of all the client's traffic is often enough to overwhelm the destination and cause the service to go offline or become unavailable.


Attack

In the case of the BlackNurse attack, instead of flooding a remote system's internet traffic with superfluous traffic, the attack takes advantage of an imbalance between the resources required to send traffic and the resources required to process it. Namely, the BlackNurse attacks uses ICMP with Type 3 Code 3 packets. This is a packet that is meant to be sent when a destination's port is unreachable. Unlike previous attacks using the ICMP protocol-- Smurf attack, ping flood,
ping of death A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer. In this attack, a host sends hundreds of ping requests with a packet size that is large or illegal to another ho ...
--BlackNurse does not flood the destination with traffic. Instead, the researchers realized that the "Destination Port Unreachable" packet causes high CPU usage in the
firewall Firewall may refer to: * Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts * Firewall (construction), a barrier inside a building, designed to limit the spre ...
that processes it. Using a relatively small bandwidth of 15-18 Mbit/s, an attacker can cause CPU usage to spike in a target firewall, causing that firewall to become unable to process more requests.


Determining vulnerability

To test if your device is vulnerable, you can send the ICMP packet to your network using
hping hping is an open-source packet generator and analyzer for the TCP/IP protocol created by Salvatore Sanfilippo (also known as Antirez). It is one of the common tools used for security auditing and testing of firewalls and networks, and was used ...
. It is recommended to run these commands from the WAN side of your firewall. * hping3 -1 -C 3 -K 3 -i u20 * hping3 -1 -C 3 -K 3 --flood While running the test, attempt to use the network normally while watching the CPU usage of the firewall.


Reasons for efficacy

Because of the history of ICMP attacks, many ICMP packets are commonly blocked on firewalls. However some ICMP packets are necessary to allow the network to work properly. Destination port unreachable is one of those packets that is required. Typically however, an attack will only be effective if the incoming traffic is greater than the bandwidth of the victim machine. In the case of BlackNurse however, the attack takes advantage of the processing logic in many firewalls for handling this traffic. This attack is important because it leverages a necessary component of internet traffic and because it doesn't require the use of a
botnet A botnet is a group of Internet-connected devices, each of which runs one or more Internet bot, bots. Botnets can be used to perform distributed denial-of-service attack, distributed denial-of-service (DDoS) attacks, steal data, send Spamming, sp ...
to execute attacks.


Impact

Due to the low cost for the attack, because low bandwidth connections are common, this attack can be used very effectively. The original researchers at SOC TDC have noted that the attack is currently being used against clients on their own network.


Origins of the name

The attack was named BlackNurse as a joke because two of its principal researchers were a former blacksmith and a former nurse. The media picked up on this name before it could be changed.


References


External links


Official website

List of vulnerable devices
{{Hacking in the 2010s 2016 in computing Denial-of-service attacks Internet security