Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

BlackNurse attack, how to knock big servers offline with a laptop

BlackNurse attack allows to power massive DDoS attacks that are able to knock large servers offline with limited resources. Researchers discovered a simple method, called BlackNurse attack, to power massive DDoS attacks that could allow lone attackers to knock large servers offline with limited resources. “This attack is not based on pure flooding of the internet connection, […]

BlackNurse attack, how to knock big servers offline with a laptop

BlackNurse attack allows to power massive DDoS attacks that are able to knock large servers offline with limited resources.

Researchers discovered a simple method, called BlackNurse attack, to power massive DDoS attacks that could allow lone attackers to knock large servers offline with limited resources.

“This attack is not based on pure flooding of the internet connection, and we have named it ‘BlackNurse’. BlackNurse is not the same as an old ICMP flood attack which is known to send ICMP requests to the target very quickly. BlackNurse is based on ICMP with Type 3 Code 3 packets. ” reads the analysis published by the researchers.

BlackNurse attack DDoS

The BlackNurse attack was devised by researchers from Danish TDC Security Operations Center, it could be effective against servers protected by certain firewalls made by Cisco Systems, Palo Alto Networks, SonicWall, and Zyxel.

“The BlackNurse attack attracted our attention, because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers’ operations down. This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack.” continues the report.

The BlackNurse attack leverages on the ICMP with Type 3 Code 3 packets that are used by routers and networking equipment to send and receive error messages.

By sending this specific type of ICMP packets attackers can overload the CPUs of certain types of server firewalls.

The researchers noticed that after reaching a threshold of 15 Mbps to 18 Mbps, the network devices drop so many packets that the server will go offline.

The researchers from the TDC SOC explained that the BlackNurse attack could allow a lone attacker with a single laptop to power DDoS attacks peaking of 180 Mbps.

“It does not matter if you have a 1 Gbit/s Internet connection. The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the [local area network] site will no longer be able to send/receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops.” reads the analysis of the TDC SOC.

The experts confirmed that in the last two years other 95 DDoS attacks leveraging on the ICMP protocol targeted customers inside the TDC network, but it is not specified how many of them are BlackNurse attacks.

Experts from Netresec who supported the TDC network in the analysis confirmed that attack works against several models of firewalls from major vendors, including Cisco Systems, Palo Alto Networks, SonicWall, and Zyxel.

Devices verified by TDC to be vulnerable to the BlackNurse attack:

  • Cisco ASA 5506, 5515, 5525 (default settings)
  • Cisco ASA 5550 (Legacy) and 5515-X (latest generation)
  • Cisco Router 897 (unless rate-limited)
  • Palo Alto (unverified)
  • SonicWall (if misconfigured)
  • Zyxel NWA3560-N (wireless attack from LAN Side)
  • Zyxel Zywall USG50

The researchers at Netresec.com published a detailed analysis of the BlackNurse attack.

Palo Alto Networks has issued a specific advisory to address this specific DDoS attack.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – BlackNurse attack, DDoS)