DDoS , Network & Perimeter , Risk Management

How One Laptop Could Jam Enterprise Firewalls

Danish Telecom Company Says BlackNurse DDoS Attack Can Easily Be Repelled
How One Laptop Could Jam Enterprise Firewalls

Enterprise firewalls from major vendors could be jammed by a type of distributed denial-of-service attack that could be launched from a single laptop, says TDC Group, one of Denmark's largest telecommunications companies. Luckily, the attack doesn't rely on a software vulnerability and can be blunted by configuration changes.

See Also: Defend Against Spear Phishing: Encouraging Developments Gaining Momentum

The attack, which TDC has dubbed BlackNurse, is powerful because it does not rely on sending enormous volumes of junk data traffic but rather a select stream of data packets that are computationally intensive for firewalls to process.

Even though the number of data packets per second is low, "this attack could keep our customers' operations down," TDC Group writes in a technical paper. "This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack."

Over the last two years, TDC Group saw 95 such attacks targeted against its customers.

ICMP Packets

Several recent massive DDoS attacks have relied on masses of internet-connected devices, such as digital video recorders with poor security controls. Those devices, which often have default passwords, are easy to infect with malware that can be remotely commanded to attack other services.

These botnets have generated record levels of attack traffic that have been difficult to counter. In October, web users found it difficult to reach services, including Spotify and Twitter, after a DDoS attack against Dyn, a networking company that provides Domain Name Systems management services (see Botnet Army of 'Up to 100,000' IoT Devices Disrupted Dyn).

In contrast, TCP Group says the BlackNurse attack doesn't rely on crushing volumes of traffic. Instead, the attack sends Internet Control Message Protocol data packets. ICMP is used for "ping," a diagnostic test to detect whether another host is available. This attack is different than an ICMP flood, where an attacker tries to take down a server by sending many pings.

BlackNurse is executed with ICMP Type 3 Code 3 packets, TCP Group says. If a firewall responds to that type of traffic, it doesn't require much bandwidth from the attacking machine. Less than 50,000 packets per second is enough to hamper a vulnerable firewall.

"The impact we see on different firewalls is typically high CPU loads," TDC Group writes. "When an attack is ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops."

It's unclear why firewalls in certain configurations have trouble with these packets. Johannes Ullrich, the dean of research at the SANS Technology Institute, says that the firewalls could be trying to perform stateful analysis of the packets.

"ICMP unreachable packets include as payload the first few bytes of the packet that caused the error," Ullrich writes in a blog post. "A firewall can use this payload to determine if the error is caused by a legit packet that left the network in the past. This analysis can take significant resources."

In its testing, TDC Group finds that a reasonably sized laptop could generate 180 megabits per second attacks. It also tried an attack using a Google Nexus 6 mobile phone, which could only generated 9 Mbps and "therefore cannot single-handedly perform the BlackNurse attack."


Firewalls that have only one CPU would appear to be more vulnerable that those with two or more. Keeping logging on means a greater chance that a firewall under attack will run out of steam, TDC Group writes. Having much available bandwidth also doesn't mitigate the attack effectiveness.

"Many firewall implementations handle ICMP in different ways and different vendors can be subject to attacks," the company writes. "Distributed attacks from larger botnets can be a major problem because botnets which are located on low bandwidth uplinks can come into play."

The best mitigation is to only allow other trusted machines to send ICMP packets. TDC Group recommends disabling ICMP Type 3 Code 3 traffic on WAN interfaces.

About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology

Jeremy Kirk is a 20-year veteran journalist who has reported from more than a dozen countries. An expat American now based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked for 10 years from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Around the Network