Blacknurse is a low bandwidth ICMP attack that is capable of doing denial of service to well known firewalls.
Most ICMP attacks that we see are based on ICMP Type 8 Code 0 also called a ping flood attack.
BlackNurse is based on ICMP with Type 3 Code 3 packets. We know that when a user has allowed ICMP Type 3 Code 3 to outside interfaces, the BlackNurse attack becomes highly effective even at low bandwidth.
Low bandwidth is in this case around 15-18 Mbit/s. This is to achieve the volume of packets needed which is around 40 to 50K packets per second. It does not matter if you have a 1 Gbit/s Internet connection.
The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops.
Please provide us with information on firewalls and routers that are affected by BlackNurse - you can send information to firstname.lastname@example.org, and we will maintain a list of products on BlackNurse.dk.
The best way to test if your systems are vulnerable, is to allow ICMP on the WAN side of you firewall and do some testing with Hping3. When attacking the outside wan, try to do some internet surfing from the inside and out. In our test we used an Ubuntu installation with Hping3 installed. When testing, you have to be able to reach outbound internet speed of at least 15-18 Mbit/s.
Use Hping3 with one of the following commands:
hping3 -1 -C 3 -K 3 -i u20 <target ip>
hping3 -1 -C 3 -K 3 --flood <target ip>
Based on our test, we know that a reasonable sized laptop can produce approx. a 180 Mbit/s DoS attack with these commands. We have also made tests using a Nexus 6 mobile phone with Nethunter/Kali which only can produce 9.5 Mbit/s and therefore cannot single-handedly perform the BlackNurse attack.
Please read the full report for help to mitigate the attack, including detection rules, details of the testing done so far and more nice knowlegde.
"Der Angriff funktioniert bei geringer Bandbreite, wir haben in eigenen Tests durchgeführt und konnten mit 1MBit/s Angriffsvolumen, geroutet durch TOR, verwundbare Systeme lahmlegen, die mit 100MBit und mehr angebunden waren"
10. November 2016
Discovered by Kenneth B. Jørgensen and Lenny Hansson.
Test, verification and communication led by Lenny Hansson.
Naming, guiding and reviewing by Dennis Rand.
Supporting testing by Bjarne Bachmann.
Analytics of rfc issues by Per Høeg.
Special thanks to Erik Hjelmvik from NETRESEC
BlackNurse - See more
YOUTUBE-SECURITY_NOW-go to 02:13:00
BlackNurse - Read more
FORUMS.JUNIPER.NET - (Nice tests!)
NAKEDSECURITY.SOPHOS.COM - GOOOOD READ!
ANSWER FROM PALO ALTO - RESEARCHCENTER.PALOALTONETWORKS.COM
ICMP ATTACK HISTORY
Jan 1997 - Ping of death
Type 8 Code 3.
Malformed ping packets Larger then 1500 Bytes - Normal was 65.536 bytes
Result: Crash, Reboot, Hangs and mixed results
April 1997 - Ping flodding
Type 8 Code 0
Normal ping packets sent very fast to systems.
You need more bandwidth than the victim.
Result: Consume enough of its CPU cycles for a user to notice a significant slowdown.
We invented firewalls to prevent stuff like this !
November 2016 – The Blacknurse Attack
Type 3 Code 3
Send NORMAL Destination Unreachable, Port Unreachable packets fast.
You do NOT need more bandwidth than the victim.
Result: High CPU. Users from LAN-side can’t surf the Internet.
LIST OF REPORTED AFFECTED PRODUCTS :
SIEMENS RUGGEDCOM RS900 - see information here including answer from vendor
Cisco ASA 5505, 5506, 5510, 5515, 5516, 5525 , 5540, 5545, 5585 (default settings) - TESTRESULTS FROM JAN
Cisco 6500 routers with SUP2T and Netflow v9 on the inbound interface - 100% CPU load
Cisco ASA 5550 (Legacy) and 5515-X (latest generation) - (see detailed test results) (Support forum)
ASA Still surprises - see this result from Gupta Deva!!!!
- and a tool for testing cpu consumption on Cisco from Gupta Deva
Cisco Router 897 - Can be mitigated - The current code from https://www.cymru.com/Documents/secure-ios-template.html will make evil worse.
SonicWall without ICMP flood protection - Misconfiguration can be changed and mitigated (Enable “ICMP Flood Protection”)
Some unverified Palo Alto - SEE ANSWER FROM PALO ALTO - SEE UPDATED ANSWER FROM PALO ALTO
Palo Alto 5050 Firewalls with firmware 7.1.4-h2
Zyxel NWA3560-N (Wireless attack from LAN Side)
Zyxel Zywall USG50 - RESPONSE FROM ZYXEL
Fortinet v5.4.1 - One CPU consumed
Fortigate units 60c and 100D (even with drop ICMP on) ADVISERY - FORTINET BLOG
Mikrotik Routerboard 2011UiAS with the firmware 3.24 & RouterOs 6.37.1(latest).
Stormshield firewalls - fix is underdevelopment
Peplink Balance 20/30 routers firmware 6.3.3. (latest)
Secomea Trustgate - homepage
Iptables (Netfilter! - thx Martin ;-)) (even with 480 Mbit/sek)
mikrotik CCR1036-12G-4S firmware: 3.27 (250 Mbit/sek) and no problem && RouterOS 5.4 on Mikrotik RB750
OpenBSD 6.0 and current
GigaVUE HC-Serie (Gigamon)
AVM Fritz!Box 7360 (common ADSl router in Germany)
Ubiquiti Networks - EdgeRouter Lite CPU 60-70% load but still going
Cisco ISR4321 Router IOS XE - Version 15.5(3)S2, RELEASE SOFTWARE (fc2)
Check Point Security Gateways - Checkpoint response!
Fortigate 110C firmware v5.2.9 build 736
Zyxel USG 60
Sophos UTM, Sophos XG (Bruger Iptabels)
F-Secure Client Security (Firewall part)
SEND YOUR TESTING RESULTS TO email@example.com
Copyright @ All Rights Reserved