The recent wave of high-profile DDoS attacks against hosting providers, telecoms, and other targets have been among the most powerful ever seen, but researchers say there’s a relatively new DDoS technique being used by some attackers that uses much lower volumes of attack traffic and can keep even well-protected targets offline.
The attack is a variety of ICMP denial-of-service, but it does not rely on the high volume of traffic that older techniques that use the ICMP protocol utilize. Instead, the attack can be performed with as little as 15 Mbps of traffic, which is a fraction of what a typical large-scale DDoS attack would employ. Known as the BlackNurse attack, the technique involves sending a specific type of ICMP packets to target firewall devices that have ICMP enabled on the outside. Researchers at TDC Group in Denmark said in a report on the attack that they have see several of their customers with large Internet connections and sophisticated security hit with this kind of attack.
“The BlackNurse attack attracted our attention, because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers’ operations down. This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack,” the report says.
ICMP flood attacks have been going on for many years and the technique is one of the common DDoS tools in attackers’ arsenals. In general, DDoS attacks use high volumes of generated traffic from compromised devices to knock a target machine offline. Attackers often target web servers or DNS servers, but will sometimes go after other targets, as well. The TDC Group researchers said the BlackNurse attacks they’ve seen are quite low in volume but are highly effective.
“We know that when a user has allowed ICMP Type 3 Code 3 to outside interfaces,the BlackNurse attack becomes highly effective even at low bandwidth. Low bandwidth is in this case around 15-18 Mbit/s. This is to achieve the volume of packets needed which is around 40 to 50K packets per second. It does not matter if you have a 1 Gbit/s Internet connection. The impact we see on different firewalls is typically high CPU loads.When an attack is ongoing, users from the LAN side will no longer be able to send/receivetraffic to/fromthe Internet. All firewalls we have seen recover when the attack stops,” the report says.
“Having high bandwidth is no guarantee that this DoS/DDoS attack will not work. Many firewall implementations handle ICMP in different ways, and different vendors can be subject to attacks. Distributed attacks from larger botnets can be a majorproblem, because botnets which are located on low bandwidth uplinks can come into play.”
The researchers said that disabling the ICMP Type 3 Code 3 on a firewall’s WAN interface can mitigate the BlackNurse attack.
Image: Paul Asman and Jill Lenoble, CC By 2.0 license.