HOME

TheInfoList



Click Here for Items Related To - BlackNurse (Computer Security)
OR:
BlackNurse (Computer Security) on:   [Wikipedia]   [Google]   [Amazon]

The BlackNurse attack is a form of
denial of service In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host conne ...
attack based on ICMP flooding. The attack is special because a modest bandwidth of 20Mbit/s can be effective for disrupting a victim's network. The attack consists of sending
ICMP Destination Unreachable The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating success or failure when commu ...
packets to a destination. This works because these packets caused the destination to consume resources at a relatively high rate relative to the traffic.


Discovery

The attack was first discovered by researchers Lenny Hansson and Kenneth Bjerregard Jørgensen at the Security Operations Center of the Danish Telecom operator TDC. The researchers' goal is to protect customers on that telecom network from
DDoS In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connect ...
attacks and other cyber threats. The team noted in their release about the attack:
The BlackNurse attack attracted our attention, because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers' operations down. This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack.


DOS attacks

Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. Commonly, such an attack is done in a distributed manner, where many clients will send requests to a given server. The sum of all the client's traffic is often enough to overwhelm the destination and cause the service to go offline or become unavailable.


Attack

In the case of the BlackNurse attack, instead of flooding a remote system's internet traffic with superfluous traffic, the attack takes advantage of an imbalance between the resources required to send traffic and the resources required to process it. Namely, the BlackNurse attacks uses ICMP with Type 3 Code 3 packets. This is a packet that is meant to be sent when a destination's port is unreachable. Unlike previous attacks using the ICMP protocol--
Smurf Attack A Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address. ...
, Ping flood,
Ping of death A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer. A correctly formed ping packet is typically 56 bytes in size, or 64 bytes when the Internet Control ...
--BlackNurse does not flood the destination with traffic. Instead, the researchers realized that the "Destination Port Unreachable" packet causes high CPU usage in the
firewall Firewall may refer to: * Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts * Firewall (construction), a barrier inside a building, designed to limit the spre ...
that processes it. Using a relatively small bandwidth of 15-18Mbit/s, an attacker can cause CPU usage to spike in a target firewall, causing that firewall to become unable to process more requests.


Determining vulnerability

To test if your device is vulnerable, you can send the ICMP packet to your network using
hping hping is an open-source packet generator and analyzer for the TCP/IP protocol created by Salvatore Sanfilippo (also known as Antirez). It is one of the common tools used for security auditing and testing of firewalls and networks, and was used t ...
. It is recommended to run these commands from the WAN side of your firewall. * hping3 -1 -C 3 -K 3 -i u20 * hping3 -1 -C 3 -K 3 --flood While running the test, attempt to use the network normally while watching the CPU usage of the firewall.


Reasons for efficacy

Because of the history of ICMP attacks (like
Smurf Attack A Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address. ...
, Ping flood,
Ping of death A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer. A correctly formed ping packet is typically 56 bytes in size, or 64 bytes when the Internet Control ...
), many ICMP packets are commonly blocked on firewalls. However some ICMP packets are necessary to allow the network to work properly. Destination port unreachable is one of those packets that is required. Typically however, an attack will only be effective if the incoming traffic is greater than the bandwidth of the victim machine. In the case of BlackNurse however, the attack takes advantage of the processing logic in many firewalls for handling this traffic. This attack is important because it leverages a necessary component of internet traffic and because it doesn't require the use of a
botnet A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...
to execute attacks.


Impact

Due to the low cost for the attack, because low bandwidth connections are common, this attack can be used very effectively. The original researchers at SOC TDC have noted that the attack is currently being used against clients on their own network.


Origins of the name

The attack was named BlackNurse as a joke because two of its principal researchers were a former blacksmith and a former nurse. The media picked up on this name before it could be changed.


References


External links


Official website

List of vulnerable devices
{{Hacking in the 2010s 2016 in computing Denial-of-service attacks Internet security