BlackNurse

The BlackNurse attack is a form of denial of service attack based on ICMP flooding. The attack is special because a modest bandwidth of 20 Mbit/s can be effective for disrupting a victim's network.

The attack consists of sending ICMP Destination Unreachable packets to a destination. This works because these packets caused the destination to consume resources at a relatively high rate relative to the traffic.

Discovery
The attack was first discovered by researchers Lenny Hansson and Kenneth Bjerregard Jørgensen at the Security Operations Center of the Danish Telecom operator TDC. The researchers' goal is to protect customers on that telecom network from DDoS attacks and other cyber threats.

The team noted in their release about the attack:

"The BlackNurse attack attracted our attention, because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers' operations down. This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack."

DOS attacks
Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

Commonly, such an attack is done in a distributed manner, where many clients will send requests to a given server. The sum of all the client's traffic is often enough to overwhelm the destination and cause the service to go offline or become unavailable.

Attack
In the case of the BlackNurse attack, instead of flooding a remote system's internet traffic with superfluous traffic, the attack takes advantage of an imbalance between the resources required to send traffic and the resources required to process it.

Namely, the BlackNurse attacks uses ICMP with Type 3 Code 3 packets. This is a packet that is meant to be sent when a destination's port is unreachable.

Unlike previous attacks using the ICMP protocol--Smurf attack, ping flood, ping of death--BlackNurse does not flood the destination with traffic. Instead, the researchers realized that the "Destination Port Unreachable" packet causes high CPU usage in the firewall that processes it. Using a relatively small bandwidth of 15-18 Mbit/s, an attacker can cause CPU usage to spike in a target firewall, causing that firewall to become unable to process more requests.

Determining vulnerability
To test if your device is vulnerable, you can send the ICMP packet to your network using hping. It is recommended to run these commands from the WAN side of your firewall.


 * hping3 -1 -C 3 -K 3 -i u20
 * hping3 -1 -C 3 -K 3 --flood

While running the test, attempt to use the network normally while watching the CPU usage of the firewall.

Reasons for efficacy
Because of the history of ICMP attacks, many ICMP packets are commonly blocked on firewalls. However some ICMP packets are necessary to allow the network to work properly. Destination port unreachable is one of those packets that is required.

Typically however, an attack will only be effective if the incoming traffic is greater than the bandwidth of the victim machine. In the case of BlackNurse however, the attack takes advantage of the processing logic in many firewalls for handling this traffic.

This attack is important because it leverages a necessary component of internet traffic and because it doesn't require the use of a botnet to execute attacks.

Impact
Due to the low cost for the attack, because low bandwidth connections are common, this attack can be used very effectively. The original researchers at SOC TDC have noted that the attack is currently being used against clients on their own network.

Origins of the name
The attack was named BlackNurse as a joke because two of its principal researchers were a former blacksmith and a former nurse. The media picked up on this name before it could be changed.