BlackNurse Exploit and a Laptop can Disrupt Firewalls, Whole Network

By Lynn Palec, | November 17, 2016

The exploit was first discovered by researchers working at the Security Operations Center of telecommunications firm TDC from Denmark. (YouTube)

The exploit was first discovered by researchers working at the Security Operations Center of telecommunications firm TDC from Denmark. (YouTube)

Security researchers have warned that a new type of exploit can disrupt a whole computer network from just one laptop. Dubbed as "BlackNurse," the attack targets certain firewall vulnerabilities from Cisco, Palo Alto, Zyxel, and SonicWall.

The exploit was first discovered by researchers working at the Security Operations Center of telecommunications firm TDC from Denmark. The researchers described BlackNurse as a low-bandwidth Internet Control Message Protocol attack.

Like Us on Facebook

In a statement acquired by Network World, the researchers reported, "The BlackNurse attack attracted our attention because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers' operations down."

What separates BlackNurse from the recent DDoS techniques which crippled KrebsOnSecurity and DynDNS is the type of traffic that it utilizes. The BlackNurse attack uses ICMP Type 3 Code 3 "port unreachable" messages. These type of messages can essentially overload a firewall CPU which can result in a DoS state.

Most DDoS attacks in the past utilized ICMP packets. With ICMP type 3 code 3, a single laptop could inflict massive damage and can take down a whole network if not patched on time.

Recent DDoS attacks can send up to 1Tbps of traffic to a certain server to cripple it. Security firm Netresec claims that a BlackNurse attack can disrupt a network by sending just 21Mbps of traffic to the target.

The researchers pointed that only a handful of products are vulnerable to the BlackNurse exploit. These are Cisco ASA 5506, 5515, 5525 in default settings, CISCO ASA 5550 legacy device and 5515-X, Cisco Router 897, Zyxel NWA3560-N and Zyxel Zywall USG50, SonicWall, and some unverified Palo Alto products.

According to Forbes, TDC researchers found out that 1.7 million devices respond to the ICMP request that a BlackNurse attack uses, and this was just within Denmark. The researchers added that even if just a small fraction of those devices are vulnerable to the attack, it could launch a large-scale and coordinated attack that could render irreparable damage.

©2017 Telegiz All rights reserved. Do not reproduce without permission
Real Time Analytics