BlackNurse

The BlackNurse attack is a form of denial of service attack based on ICMP flooding. The attack is special because a modest bandwidth of 20Mbit/s can be effective for disrupting a victim's network.^[1]

The attack consists of sending ICMP Destination Unreachable packets to a destination. This works because these packets caused the destination to consume resources at a relatively high rate relative to the traffic.^[2]

Discovery

The attack was first discovered by researchers Lenny Hansson and Kenneth Bjerregard Jørgensen at the Security Operations Center of the Danish Telecom operator TDC. The researchers' goal is to protect customers on that telecom network from DDoS attacks and other cyber threats.^[3]

The team noted in their release about the attack:

The BlackNurse attack attracted our attention, because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers' operations down. This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack.^[3]

DOS attacks

Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

Commonly, such an attack is done in a distributed manner, where many clients will send requests to a given server. The sum of all the client's traffic is often enough to overwhelm the destination and cause the service to go offline or become unavailable.

Attack

In the case of the BlackNurse attack, instead of flooding a remote system's internet traffic with superfluous traffic, the attack takes advantage of an imbalance between the resources required to send traffic and the resources required to process it.^{[citation needed]}

Namely, the BlackNurse attacks uses ICMP with Type 3 Code 3 packets.^[4]

This is a packet that is meant to be sent when a destination's port is unreachable.^[5]

Unlike previous attacks using the ICMP protocol--Smurf attack, ping flood, ping of death--BlackNurse does not flood the destination with traffic. Instead, the researchers realized that the "Destination Port Unreachable" packet causes high CPU usage in the firewall that processes it.^[3] Using a relatively small bandwidth of 15-18Mbit/s, an attacker can cause CPU usage to spike in a target firewall, causing that firewall to become unable to process more requests.

Determining vulnerability

To test if your device is vulnerable, you can send the ICMP packet to your network using hping. It is recommended to run these commands from the WAN side of your firewall.

hping3 -1 -C 3 -K 3 -i u20 <target ip>
hping3 -1 -C 3 -K 3 --flood <target ip>

While running the test, attempt to use the network normally while watching the CPU usage of the firewall.

Reasons for efficacy

Because of the history of ICMP attacks, many ICMP packets are commonly blocked on firewalls. However some ICMP packets are necessary to allow the network to work properly. Destination port unreachable is one of those packets that is required.^[6]^[7]

Typically however, an attack will only be effective if the incoming traffic is greater than the bandwidth of the victim machine. In the case of BlackNurse however, the attack takes advantage of the processing logic in many firewalls for handling this traffic.

This attack is important because it leverages a necessary component of internet traffic and because it doesn't require the use of a botnet to execute attacks.

Impact

Due to the low cost for the attack, because low bandwidth connections are common, this attack can be used very effectively. The original researchers at SOC TDC have noted that the attack is currently being used against clients on their own network.

Origins of the name

The attack was named BlackNurse as a joke because two of its principal researchers were a former blacksmith and a former nurse. The media picked up on this name before it could be changed.^[2]

References

^ "Firewalls snuffed by 'BlackNurse' Ping of Death attack • The Register". The Register. Retrieved 3 July 2017.
^ ^a ^b Erik Hjelmvik (2016-11-10). "BlackNurse Denial of Service Attack - NETRESEC Blog". Netresec.com. Retrieved 2017-07-06.
^ ^a ^b ^c "The BlackNurse Attack" (PDF). Soc.tdc.dk. Retrieved 2017-07-06.
^ "Low-Bandwidth "BlackNurse" DDoS Attacks Can Disrupt Firewalls". Security Week. Retrieved 3 July 2017.
^ Postel, J. (September 1981). "RFC 792 - Internet Control Message Protocol". Tools.ietf.org. doi:10.17487/RFC0792. Retrieved 2017-07-06.
^ Baker, Fred (June 1995). "RFC 1812 - Requirements for IP Version 4 Routers". Tools.ietf.org. Retrieved 2017-07-06.
^ Braden, Robert T. (October 1989). Braden, R (ed.). "RFC 1122 - Requirements for Internet Hosts - Communication Layers". Tools.ietf.org. doi:10.17487/RFC1122. Retrieved 2017-07-06.

External links

Hacking in the 2010s

← 2000s

Timeline

2020s →

Major incidents

2010	Operation Aurora (publication of 2009 events) Australian cyberattacks Operation Olympic Games Operation ShadowNet Operation Payback
2011	Canadian government DigiNotar DNSChanger HBGary Federal Operation AntiSec PlayStation network outage RSA SecurID compromise
2012	LinkedIn hack Stratfor email leak Operation High Roller
2013	South Korea cyberattack Snapchat hack Cyberterrorism Attack of June 25 2013 Yahoo! data breach Singapore cyberattacks
2014	Anthem medical data breach Operation Tovar 2014 celebrity nude photo leak 2014 JPMorgan Chase data breach 2014 Sony Pictures hack Russian hacker password theft 2014 Yahoo! data breach
2015	Office of Personnel Management data breach Hacking Team Ashley Madison data breach VTech data breach Ukrainian Power Grid Cyberattack SWIFT banking hack
2016	Bangladesh Bank robbery Hollywood Presbyterian Medical Center ransomware incident Commission on Elections data breach Democratic National Committee cyber attacks Vietnam Airport Hacks DCCC cyber attacks Indian Bank data breaches Surkov leaks Dyn cyberattack Russian interference in the 2016 U.S. elections 2016 Bitfinex hack
2017	SHAttered 2017 Macron e-mail leaks WannaCry ransomware attack Westminster data breach Petya and NotPetya 2017 Ukraine ransomware attacks Vault7 data breach Equifax data breach Deloitte breach Disqus breach
2018	Trustico Atlanta cyberattack SingHealth data breach
2019	Sri Lanka cyberattack Baltimore ransomware attack Bulgarian revenue agency hack WhatsApp snooping scandal Jeff Bezos phone hacking incident

Hacktivism

Advanced
persistent threats

Individuals

Major vulnerabilities
publicly disclosed

Evercookie (2010)
iSeeYou (2013)
Heartbleed (2014)
Shellshock (2014)
POODLE (2014)
Rootpipe (2014)
Row hammer (2014)
SS7 vulnerabilities (2014)
JASBUG (2015)
Stagefright (2015)
DROWN (2016)
Badlock (2016)
Dirty COW (2016)
Cloudbleed (2017)
Broadcom Wi-Fi (2017)
EternalBlue (2017)
DoublePulsar (2017)
Silent Bob is Silent (2017)
KRACK (2017)
ROCA vulnerability (2017)
BlueBorne (2017)
Meltdown (2018)
Spectre (2018)
EFAIL (2018)
Exactis (2018)
Speculative Store Bypass (2018)
Lazy FP state restore (2018)
TLBleed (2018)
SigSpoof (2018)
Foreshadow (2018)
Dragonblood (2019)
Microarchitectural Data Sampling (2019)
BlueKeep (2019)
Kr00k (2019)

Malware

2010	Bad Rabbit Black Energy 2 SpyEye Stuxnet
2011	Coreflood Alureon Duqu Kelihos Metulji botnet Stars
2012	Carna Dexter FBI Flame Mahdi Red October Shamoon
2013	CryptoLocker DarkSeoul
2014	Brambul Black Energy 3 Carbanak Careto DarkHotel Duqu 2.0 FinFisher Gameover ZeuS Regin
2015	Dridex Hidden Tear Rombertik TeslaCrypt
2016	Hitler Jigsaw KeRanger MEMZ Mirai Pegasus Petya and NotPetya X-Agent
2017	BrickerBot Kirk LogicLocker Rensenware Triton WannaCry XafeCopy
2018	VPNFilter
2019	Grum Joanap NetTraveler R2D2 Tinba Titanium ZeroAccess botnet

This page was last edited on 27 July 2023, at 03:14

From Wikipedia, the free encyclopedia