CISOs often worry about high volume distributed denial of service attacks (DDoS) using Webcams and other consumer Internet-connected devices to stall business operations. According to a paper issued by TDC’s security group, the technique, dubbed ‘BlackNurse’, uses type 3 (destination unreachable) code 3 (port unreachable) packets to launch an attack of 40 to 50K packets per second with a traffic speed of 15-18 Mbit per second. Though it is different and slower than a traditional ICMP ping flood attack, it is still effective in overwhelming CPUs on some firewalls trying to process ICMP errors.
This vulnerability or misconfiguration of some firewalls is easy to misuse and impact can be high for those that allow ICMP to the firewall’s outside interface. Therefore, they could be easy targets for the BlackNurse attack. Having high bandwidth is no guarantee that this DoS/DDoS attack will not work. Many firewall implementations handle ICMP in different ways, and different vendors can be subject to attacks.
The report says some models of Cisco Systems’ ASA firewalls are vulnerable. TDC security researchers have created a SNORT rule for intrusion detection/prevention devices in their report to detect the attack, although the default timing may have to be adjusted to what is normal for each organization’s firewall.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now