A new DDoS attack method called BlackNurse has been discovered by security researchers, which allows hackers to launch large-scale attacks with less effort than is required for traditional DDoS attacks. BlackNurse also provides attackers with the ability to take down severs and firewalls with just a single laptop.
According to researchers at TDC SOC (Security Operations Centre of the Danish telecom operator TDC), BlackNurse leverages low-volume ICMP (Internet Control Message Protocol)-based attacks to launch attacks capable of overloading firewalls and shutting them down. BlackNurse targets vulnerable firewalls made by Cisco, PaloAlto and others, in a "ping flood attack" reminiscent of those popular in the 1990s.
TDC researchers said: "The BlackNurse attack attracted our attention, because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers' operations down. This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack.
"Based on our test, we know that a reasonable sized laptop can produce approx a 180 Mbit/s DoS attack with these commands."
Researchers at security firm Netresec, clarified how and why the new technique was dubbed BlackNurse, which according to the firm has caused "some confusion/amusement/discussion". Netresec also cautioned about googling the term, which they claimed "might not be 100% safe-for-work, since you risk getting search results with inappropriate videos that have nothing to do with this attack".
Netresec said: "The term 'BlackNurse', which has been used within the TDC SOC for some time to denote the 'ICMP 3,3' attack, is actually referring to the two guys at the SOC who noticed how surprisingly effective this attack was. One of these guys is a former blacksmith and the other a nurse, which was why a colleague of theirs jokingly came up with the name 'BlackNurse'. However, although it was first intended as a joke, the team decided to call the attack 'BlackNurse' even when going public about it."
How does BlackNurse work?
DDoS attacks ideally require a large volume of traffic to successfully cripple targets. Traditionally, large-scale attacks involve hoards of devices and numerous IP addresses working collectively to bombard a targeted server with massive volumes of traffic, in efforts to stop it from functioning. However, BlackNurse does not need an army of compromised devices; neither does it require high volumes of traffic. Instead, BlackNurse issues out low volume ICMP error messages to servers and firewalls, which can fairly easily overload the main processors, rendering them useless.
ESET security researcher Mark James told IBTimes UK: "BlackNurse uses ICMP flooding to achieve its goal. ICMP is also known as Ping and is predominantly used to test the connectivity between two computers. An ICMP (ping) echo request is sent from one machine and awaits an ICMP echo reply from the receiving machine.
"The time of the round trip is measured which would normally indicate how good the connection route is based on errors and or packet loss. If you take that same technology and send lots of requests without waiting for any replies, it's possible to overload the destination server. It works two-fold, as often the receiving server will attempt to reply to the incoming requests and try to send replies thus increasing its activity and helping the initial attack. Also BlackNurse uses a different technique that is slower than traditional ICMP flood attacks utilising some firewall vulnerabilities or misconfiguration."
Mitigation for such an attack is possible. "Disabling ICMP Type 3 Code 3 on the WAN interface can mitigate the attack quite easily," the TDC researchers said. "This is the best mitigation we know of so far."