Low-Bandwidth “BlackNurse” DDoS Attacks Can Disrupt Firewalls

Researchers warn that certain types of low bandwidth distributed denial-of-service (DDoS) attacks can cause some widely used enterprise firewalls to enter a temporary DoS condition.

While analyzing DDoS attacks aimed at their customers, experts at the security operations center of Danish telecom operator TDC noticed that some attacks based on the Internet Control Message Protocol (ICMP) can cause serious disruptions even over low bandwidths.

ICMP attacks, also known as ping flood attacks, are highly common, but they typically rely on Type 8 Code 0 packets. The attacks that caught TDC’s attention are based on ICMP Type 3 Code 3 packets.

The attacks, dubbed by the company “BlackNurse,” can be highly effective even at bandwidths as low as 15-18 Mbps and they can cause disruptions to firewalls even if the victim has an Internet connection of 1 Gbps.

“The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the LAN side will no longer be able to send /receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops,” TDC explained in a report detailing BlackNurse attacks.

“We know that a small number (1 to many) of internet connections with uplink speed of around 15-18 Mbit/s can keep large companies or organisations under DoS / DDoS until they mitigate the attack,” it added.

Experts pointed out that this type of attack has been around for more than 20 years, but they believe organizations are not sufficiently aware of the risks. A scan of the Danish IP address space revealed that there were over 1.7 million devices responding to ICMP pings, which means these attacks can have a significant impact.

Researchers have so far confirmed that BlackNurse attacks work against Cisco ASA and SonicWall firewalls, but they likely also affect products from Palo Alto Networks and other vendors. The Iptables firewall utility for Linux, MikroTik products and OpenBSD are not affected.

While in some cases attacks might be possible due to a vulnerability in the firewall, some vendors blamed a configuration problem. Detection rules and proof-of-concept (PoC) code have been made available to allow users to identify attacks and test their equipment.

SecurityWeek has reached out to affected vendors, including Cisco, Palo Alto Networks and SonicWall, for comment.

Palo Alto Networks has published a blog post saying that its customers are only affected in “very specific, non-default scenarios that contravene best practices.” 

SonicWall is listed in the affected products section on the BlackNurse website, with the mention that attacks are possible when the firewall is misconfigured. SonicWall told SecurityWeek that it has been in touch with TDC. The vendor’s testing showed that its firewalls are not vulnerable with normal ICMP flood protection on.

Cisco was notified about these attacks in June, but TDC said the company decided not to classify the issue as a security flaw.

“Cisco is aware of a new Denial-of-Service (DOS) type of attack that may target firewalls, including select Cisco ASA devices. This issue is not vendor-specific, and the attack does not exploit a security vulnerability. In the event of an attack, the mentioned ASA devices continue to enforce the configured security policy, and there is not a compromise,” Cisco said in a statement sent to SecurityWeek. 

“Cisco’s approach to security begins when a product is conceived and continues all the way through its deployment. For the select ASA firewalls noted in this study, protection against DOS threats is multi-layered, and we work with our customers to ensure the DOS security is accounted for further upstream in the network as a best practice,” the company added.

In the case of Cisco ASA firewalls, TDC recommends denying ICMP Type 3 messages sent to the product’s WAN interface or upgrading to more high-end ASA firewalls that have multiple CPU cores as BlackNurse attacks are not as effective against these types of systems. Attacks can also be mitigated using professional anti-DDoS services.

*Updated with clarifications from SonicWall, Palo Alto Networks and a statement from Cisco