BlackNurse is the name of a recently discovered network attack that can crash firewalls and routers via ICMP packets, known by most of us as "pings."
The attack came to light after TDC, a company that supplies IT and telecommunications solutions for companies in Denmark, discovered several low-volume DDoS attacks leveraging ICMP traffic against some of its clients.
TDC engineers, who analyzed the DDoS traffic, said the volume was very small, ranging from 15 to 18 Mbps, which is laughable compared to the 1.1 Tbps DDoS attack recorded against French ISP OVH.
As TDC explained, this was not the problem. The main issue was a steady stream of 40 to 50k ICMP packets that reached the victim's network equipment and kept crashing the device.
In the 90s, when most people connected to the Internet employed dial-up connections, a malicious actor could flood a target with pings and shut down his home connection. This was a network flood, and relied on ICMP packets Type 8 Code 0, aka regular ping traffic.
The BlackNurse attack causes a Denial of Service (DoS) state on the vulnerable equipment itself by overloading the CPU with operations, and works regardless of the user's connection, who can very well be broadband-level quality.
On the attacker's side, BlackNurse leverages ICMP packets Type 3 Code 3, packets normally returned to ping sources to reply when the target's destination port is unreachable.
The TDC SOC (Security Operations Center) said that tests identified Cisco ASA firewalls (5515 and 5525 with default settings) as one of the vulnerable products. TDC contacted Cisco, who declined to classify the BlackNurse attack as a security issue.
NETRESEC AB, a Swedish independent software vendor (ISV) for networking equipment, claimed in a Reddit post that SonicWall firewalls are also vulnerable, along with some Palo Alto Network devices.
Frank Denis, a data analysis and security engineer for OVH, has published proof-of-concept code on GitHub that can help network admins test their equipment against BlackNurse attacks.
A technical report and a special website are available for network administrators seeking more information on the BlackNurse attack, or have found new vulnerable devices and want to share their findings with the world.
The good news is that following a BlackNurse attack, once the flood of ICMP packets ends, the device returns to its normal mode of operation, and customer traffic is resumed soon after.