BlackNurse DDoS attack can ‘overload firewalls from a laptop’

When it comes to launching successful DDoS attacks, bigger should always be better.

It’s a simple equation: more traffic and more devices generating that traffic equals more chance of knocking a server offline.

Now researchers at Danish firm TDC have documented a type of DDoS attack that uses modest traffic volumes to do the same job, possibly controlled from a single laptop.

Dubbed “BlackNurse”, the technique works by targeting specific models of firewall with rogue ICMP Code 3 port unreachable error messages, overloading their CPUs and causing them to start dropping packets.

The volume of traffic mentioned is between 15 and 18 megabits per second (around 40,000 to 50,000 packets per second), which is modest by DDoS standards and puny next to the 1.2 terabits per second that were reportedly aimed at DNS infrastructure firm Dyn during the recent Mirai botnet attack.

In other words, instead of choking the network with lots of packets, BlackNurse overloads one part of a single device, achieving the same result with far less effort.

The fact that one person might be able to pull off the attacks is alarming, but why firewalls? Aren’t DDoS attacks normally directed at servers?

Firewalls are security systems that typically sit between the internet and your servers to decide whether an individual connection request to a service should be allowed or not.

If it is, such as an HTTP request on to port 80 on your web server, the connection is made. If the packet isn’t permitted, such as an email request to a file server, it is blocked.

In other words, bogging down your firewall has the same effect as bogging down all the web servers behind it, because the packets can’t reach the web servers without going through the firewall first.

As TDS put it:

When an attack is ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the Internet.

BlackNurse reminds us that any infrastructure can be targeted if the attackers have found the right vulnerability.

TDC scanned Danish internet addresses, finding 1.7 million network devices that responded to ICMP pings, which implies a sizeable target count in that country alone.

BlackNurse reminds us that DDoS attackers are constantly probing for new weaknesses, as well as for old ones defenders have simply forgotten about. Sometimes they find joy in unexpected places.