BlackNurse DDoS attack resistant to some firewalls

Tuesday 15 November 2016 11:53 CET | News

The security operations centre of TDC Group, Denmark’s main telecom provider, has cautioned some firewalls can be overwhelmed by a new variant of an Internet Control Message Protocol (ICMP) attack.

CISOs often worry about high volume distributed denial of service attacks (DDoS) using Webcams and other consumer Internet-connected devices to stall business operations. According to a paper issued by TDC’s security group, the technique, dubbed ‘BlackNurse’, uses type 3 (destination unreachable) code 3 (port unreachable) packets to launch an attack of 40 to 50K packets per second with a traffic speed of 15-18 Mbit per second. Though it is different and slower than a traditional ICMP ping flood attack, it is still effective in overwhelming CPUs on some firewalls trying to process ICMP errors.

This vulnerability or misconfiguration of some firewalls is easy to misuse and impact can be high for those that allow ICMP to the firewall’s outside interface. Therefore, they could be easy targets for the BlackNurse attack. Having high bandwidth is no guarantee that this DoS/DDoS attack will not work. Many firewall implementations handle ICMP in different ways, and different vendors can be subject to attacks.

The report says some models of Cisco Systems’ ASA firewalls are vulnerable. TDC security researchers have created a SNORT rule for intrusion detection/prevention devices in their report to detect the attack, although the default timing may have to be adjusted to what is normal for each organization’s firewall.

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: TDC Group, Denmark, online security, online fraud, fraud prevention, card fraud prevention, payment fraud, digital identity, DDoS
Categories: Fraud & Financial Crime
Countries: World
This article is part of category

Fraud & Financial Crime