Security researchers from Denmark-based TDC Security Operations Center have dubbed the new attack technique BlackNurse. BlackNurse attack uses very limited resources to knock large servers offline when they’re protected by certain firewalls made by Cisco Systems and other manufacturers. The BlackNurse attack makes it easier for cyber criminals to mount a simple denial-of-service attack against a website using as little as 15 megabits, or about 40,000 packets per second, to sever the Internet connection of vulnerable servers. Imagine what BlackNurse attack could have done if it was used in the recent Dyn attack. To put things in perspective, the unknown hackers who brought down the entire Internet to the Mid-West and the Eastern United States on 21st October apparently used IoT botnets and sent useless data packets of 1 Terabyte per second to wreak havoc and knock services like Reddit, Twitter, Spotify, etc. offline. In a blog post published Wednesday, the researchers wrote:

How does BlackNurse use a single laptop to mount a massive DDoS attack

The researchers found out that BlackNurse attack uses the message loophole Internet Control Message Protocol, which routers and other networking devices use to send and receive error messages. Since there is not protection or limit to the ICMP sending or receiving such messages, BlackNurse attack leverages it by sending a special type of ICMP packets—specifically Type 3 ICMP packets with a code of 3 which the hackers can use to bring unwanted load on CPUs and servers protected by Cisco and other company made Firewalls.

How does BlackNurse use a single laptop to mount a massive DDoS attackBlackNurse attack fearsMitigation against BlackNurse attack

During their researcher, they found out that after reaching a threshold of 15 Mbps to 18 Mbps, the targeted firewalls drop so many packets that the server driving it offline. Using the same dud ICMP packets, the researchers conducted a BlackNurse attack using a SINGLE LAPTOP by sending in just 180 Mbps and brought down a server.

BlackNurse attack fears

The worrying thing is that the researchers found out BlackNurse attack was being used in the wild. They have already discovered about 95 such DDoS attacks in the past two years. The report didn’t say if the ICMP attacks were based on the newly discovered BlackNurse attack or a previously known ICMP attack that delivers Type 8 packets with a code of 0.

Mitigation against BlackNurse attack

According to researchers from Netresec, a security firm that collaborated with TDC Security on the research, the attack works only against servers using firewalls from Cisco Systems, Palo Alto Networks, SonicWall, and Zyxel. The researchers have given the specific models which are vulnerable to BlackNurse attack on this blog post. Palo Alto Networks has issued its One of the affected Firewall makers, Palo Alto Networks has issued its own advisory that reports company devices are only vulnerable in “very specific, non-default scenarios that contravene best practices.” Cisco surprisingly doesn’t consider the BlackNurse attack as a security issue though it has not justified why. The Sans Institute has its own brief write-up of the attack here.