When it comes to launching successful DDoS attacks, bigger should always be better.
It’s a simple equation: more traffic and more devices generating that traffic equals more chance of knocking a server offline.
Now researchers at Danish firm TDC have documented a type of DDoS attack that uses modest traffic volumes to do the same job, possibly controlled from a single laptop.
Dubbed “BlackNurse”, the technique works by targeting specific models of firewall with rogue ICMP Code 3 port unreachable error messages, overloading their CPUs and causing them to start dropping packets.
The volume of traffic mentioned is between 15 and 18 megabits per second (around 40,000 to 50,000 packets per second), which is modest by DDoS standards and puny next to the 1.2 terabits per second that were reportedly aimed at DNS infrastructure firm Dyn during the recent Mirai botnet attack.
In other words, instead of choking the network with lots of packets, BlackNurse overloads one part of a single device, achieving the same result with far less effort.
The fact that one person might be able to pull off the attacks is alarming, but why firewalls? Aren’t DDoS attacks normally directed at servers?
Firewalls are security systems that typically sit between the internet and your servers to decide whether an individual connection request to a service should be allowed or not.
If it is, such as an HTTP request on to port 80 on your web server, the connection is made. If the packet isn’t permitted, such as an email request to a file server, it is blocked.
In other words, bogging down your firewall has the same effect as bogging down all the web servers behind it, because the packets can’t reach the web servers without going through the firewall first.
As TDS put it:
When an attack is ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the Internet.
BlackNurse reminds us that any infrastructure can be targeted if the attackers have found the right vulnerability.
TDC scanned Danish internet addresses, finding 1.7 million network devices that responded to ICMP pings, which implies a sizeable target count in that country alone.
BlackNurse reminds us that DDoS attackers are constantly probing for new weaknesses, as well as for old ones defenders have simply forgotten about. Sometimes they find joy in unexpected places.
Rails and Trails Shawnee
This seems to be another group trying to cash in on the vulnerability naming memes going around. 40-50k pps is not a minor amount of traffic. In fact, it takes a wired 100mbps ethernet connection to be able to transmit 40-50k pps, while technologies like DOCSIS are only capable of a few hundreds of pps per cable modem. I suspect that WiFi is likely to also fall short of the stated 40-50k pps rate (a nexus phone was mentioned in the pdf).
It’s not news that stateful firewalls are a point of failure and operations that require state are slow. Thus overloading or overwhelming the state table is generally easy. Base model Cisco ASA firewalls are listed with a maximum of 85k pps and only 4k connections per second. SANS seems to agree this is a non-issue and that even affected devices are performing as advertised – https://isc.sans.edu/diary/ICMP%2BUnreachable%2BDoS%2BAttacks%2B(aka%2B%22Black%2BNurse%22)/21699
Bottom line, stick to best common practice and don’t put internet facing servers behind stateful firewalls appliances. Instead, use the OS firewall and/or non-stateful access controls at the server’s internet gateway to enforce network policy.
neil donaldson
So you publish this article but don’t bother to mention if any Sophos products are vulnerable.
Which it seems they are.
https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/83475/blacknurse-protection
Someone is asking the questions on your forum , again unanswered….
Paul Ducklin
That question was answered on the forum (when I looked, at least)…as far as I can see the poster’s experience doesn’t seem to be directly down to BlackNurse.
Both our UTM and XG firewall products are Linux-based and use iptables for packet handling… and the guys who announced BlackNurse concede that iptables is not affected.
There’s more here:
https://nakedsecurity.sophos.com/2016/11/17/blacknurse-revisited-what-you-need-to-know/
HtH.
scanforsecurity.com
Nice to hear that people doing research not only in direction of web applications. Firewalls that’s our all))
Jonathan Snyder
You mentioned specific models of firewalls, do you have a list of which models?
Paul Ducklin
Sorry, no. And whether a specific product can be booged down this way almost certainly depends on which model within the range, and where and how it is deployed and set up.
As another commenter pointed out, at least for entry and low-end firewalls, 50,000 packets a second is pushing the envelope a bit anyway, so even if your product has ICMP processing that has been proactively coded to drop time-wasting IMCP traffic as soon as possible (IIRC, the Sophos XG Firewall does exactly that), a single firewall on a single network connection is probably close to clogged up anyway.
It’s like having a small compact car with a tiny engine that was built for economy and pushing it hard on the freeway (where legal, of course :-)…
You might find yourself struggling to hit 130, maybe falling back to 100 on hills if the thing hasn’t been recently maintained. But even in perfect tune, right after a service, with a following wind, a convenient and continuous downhill gradient, and overpressure tyres…you’re still going to max out at, say, 145, and you’ll be acutely conscious that handling and safety are not all they could be at that pace, all things considered. (That’s km/hr. I am allergic to miles.) Nature of the beast, so to speak.