BLACKNURSE

it CAN bring you down

Only do testing on firewalls and routers that you own

Blacknurse is a low bandwidth ICMP attack that is capable of doing denial of service to well known firewalls.

 

Most ICMP attacks that we see are based on ICMP Type 8 Code 0 also called a ping flood attack.

 

BlackNurse is based on ICMP with Type 3 Code 3 packets. We know that when a user has allowed ICMP Type 3 Code 3 to outside interfaces, the BlackNurse attack becomes highly effective even at low bandwidth.

 

Low bandwidth is in this case around 15-18 Mbit/s. This is to achieve the volume of packets needed which is around 40 to 50K packets per second. It does not matter if you have a 1 Gbit/s Internet connection.

 

The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops.

 

Please provide us with information on firewalls and routers that are affected by BlackNurse - you can send information to info@blacknurse.dk, and we will maintain a list of products on BlackNurse.dk.

 

The best way to test if your systems are vulnerable, is to allow ICMP on the WAN side of you firewall and do some testing with Hping3. When attacking the outside wan, try to do some internet surfing from the inside and out. In our test we used an Ubuntu installation with Hping3 installed. When testing, you have to be able to reach outbound internet speed of at least 15-18 Mbit/s.

Use Hping3 with one of the following commands:

 

hping3 -1 -C 3 -K 3 -i u20 <target ip>

hping3 -1 -C 3 -K 3 --flood <target ip>

Based on our test, we know that a reasonable sized laptop can produce approx. a 180 Mbit/s DoS attack with these commands. We have also made tests using a Nexus 6 mobile phone with Nethunter/Kali which only can produce 9.5 Mbit/s and therefore cannot single-handedly perform the BlackNurse attack.

 

 

HAPPY TESTING!

 

 

Please read the full report for help to mitigate the attack, including detection rules, details of the testing done so far and more nice knowlegde.

 

"Der Angriff funktioniert bei geringer Bandbreite, wir haben in eigenen Tests durchgeführt und konnten mit 1MBit/s Angriffsvolumen, geroutet durch TOR, verwundbare Systeme lahmlegen, die mit 100MBit und mehr angebunden waren"

 

all-about-security.de

RELEASED

10. November 2016

Discovered by Kenneth B. Jørgensen and Lenny Hansson.

Test, verification and communication led by Lenny Hansson.

Naming, guiding and reviewing by Dennis Rand.

Supporting testing by Bjarne Bachmann.

Analytics of rfc issues by Per Høeg.

 

Special thanks to Erik Hjelmvik from NETRESEC

 

BlackNurse - See more

 

YOUTUBE-TECH_INFORIES

YOUTUBE-DAILY_SECURITY_BITE

YOUTUBE-SECURITY_NOW-go to 02:13:00

 

 

BlackNurse - Read more

 

CERT.EUROPA.EU

IPv6 -TESTING - NICE READING

CERT.DK - IPv6 notice

REDWOLFSECURITY.COM

FORUMS.JUNIPER.NET - (Nice tests!)

SECURITY.RADWARE.COM

NAAVI.ORG

PACKETSTORMSECURITY.COM

MALWARETIPS.COM

TELEGIZ.COM

ZDNET.FR

STOP-HAKERS.ORG

REMOVEMALWAREVIRUS.COM

THETECHNEWS.COM

DOS-MITIGATION.COM

DZONE.COM

THEMERKEL.COM

TECHWEEK.UK.CO

BESTSECURITYSEARCH.COM

DERSTANDARD.AT

SOYLENTNEWS.ORG

THEPAYPERS.COM

CORERO.COM

TECHWORM.NET

ONTHEWIRE.IO

ITWORLDCANADA.COM

THEHILL.COM

NETWORKWORLD.COM

CERT-MU.GOVMU.ORG

BLOG.SONICWALL.COM

NAKEDSECURITY.SOPHOS.COM - GOOOOD READ!

SEARCHSECURITY.TECHTARGET.COM

NAKEDSECURITY.SOPHOS.COM

FORBES.COM

VERSION2.DK

THEHACKERNEWS.COM

THEREGISTER.CO.UK

NSANEFORUMS.COM

DSHILD.ORG

THESTACK.COM

NCSC.NL - WITH ADVISORY

PATRICK GRAY TWEET

YCOMBINATOR.COM

SECURITYWEEK.COM

ARSTECHNICA.COM

SECURITYAFFAIRS.CO

ENGADGET.COM

ALL-ABOUT-SECURITY.DE

REDDIT.COM - PART2

ANSWER FROM PALO ALTO - RESEARCHCENTER.PALOALTONETWORKS.COM

SECURITY.NL

CHINACYBERSAFETY

NETRESEC.COM

REDDIT.COM

GITHUB.COM - POC TOOL

NEWS.YCOMBINATOR.COM

CERT.SE

BLEEPINGCOMPUTER.COM

MAFIASECURITY.COM

HACKPLAYERS.COM

ISC.SANS.EDU

THREATPOST.COM

XAKEP.RU

SECURITY.NL

0800NETZWERK.DE

ICMP ATTACK HISTORY

 

 

Jan 1997 - Ping of death

Type 8 Code 3.

Malformed ping packets Larger then 1500 Bytes - Normal was 65.536 bytes

Result: Crash, Reboot, Hangs and mixed results

 

April 1997 - Ping flodding

Type 8 Code 0

Normal ping packets sent very fast to systems.

You need more bandwidth than the victim.

Result: Consume enough of its CPU cycles for a user to notice a significant slowdown.

 

We invented firewalls to prevent stuff like this !

 

November 2016 – The Blacknurse Attack

Type 3 Code 3

Send NORMAL Destination Unreachable, Port Unreachable packets fast.

You do NOT need more bandwidth than the victim.

Result: High CPU. Users from LAN-side can’t surf the Internet.

LIST OF REPORTED AFFECTED PRODUCTS :

 

SIEMENS RUGGEDCOM RS900 - see information here including answer from vendor

Cisco ASA 5505, 5506, 5510, 5515, 5516, 5525 , 5540, 5545, 5585 (default settings) - TESTRESULTS FROM JAN

Cisco 6500 routers with SUP2T and Netflow v9 on the inbound interface - 100% CPU load

Cisco ASA 5550 (Legacy) and 5515-X (latest generation) - (see detailed test results) (Support forum)

ASA Still surprises - see this result from Gupta Deva!!!!

- and a tool for testing cpu consumption on Cisco from Gupta Deva

Cisco Router 897 - Can be mitigated - The current code from https://www.cymru.com/Documents/secure-ios-template.html will make evil worse.

SonicWall without ICMP flood protection - Misconfiguration can be changed and mitigated (Enable “ICMP Flood Protection”)

SEE BLOG FROM SONICWALL

Some unverified Palo Alto - SEE ANSWER FROM PALO ALTO - SEE UPDATED ANSWER FROM PALO ALTO

Palo Alto 5050 Firewalls with firmware 7.1.4-h2

Zyxel NWA3560-N (Wireless attack from LAN Side)

Zyxel Zywall USG50 - RESPONSE FROM ZYXEL

Fortinet v5.4.1 - One CPU consumed

Fortigate units 60c and 100D (even with drop ICMP on) ADVISERY - FORTINET BLOG

Mikrotik Routerboard 2011UiAS with the firmware 3.24 & RouterOs 6.37.1(latest).

Stormshield firewalls - fix is underdevelopment

Peplink Balance 20/30 routers firmware 6.3.3. (latest)

 

NOT AFFECTED:

Secomea Trustgate - homepage

Iptables (Netfilter! - thx Martin ;-)) (even with 480 Mbit/sek)

mikrotik CCR1036-12G-4S firmware: 3.27 (250 Mbit/sek) and no problem && RouterOS 5.4 on Mikrotik RB750

OpenBSD 6.0 and current

Windows Firewalls

pfSense

GigaVUE HC-Serie (Gigamon)

AVM Fritz!Box 7360 (common ADSl router in Germany)

Ubiquiti Networks - EdgeRouter Lite CPU 60-70% load but still going

Cisco ISR4321 Router IOS XE - Version 15.5(3)S2, RELEASE SOFTWARE (fc2)

Check Point Security Gateways - Checkpoint response!

Juniper SRX

Fortigate 110C firmware v5.2.9 build 736

Zyxel USG 60

Sophos UTM, Sophos XG (Bruger Iptabels)

F-Secure Client Security (Firewall part)

WatchGuard

 

SEND YOUR TESTING RESULTS TO info@blacknurse.dk

BLACKNURSE

Copyright @ All Rights Reserved