SB 16.05 :: BlackNurse-Angriff setzt Firewalls ausser Gefecht

black nurse



  • Update 1 / 14.11. PaloAlto-Advisory

BlackNurse Denial of Service Attack: "The 90's called and wanted their ICMP flood attack back" betitelten Forscher den Angriff, der am 10.11. unter dem Namen "Black Nurse bekannt wurde und der daraus besteht, ICMP-Pakete Type 3 Code 3 (Destination Unreachable / Port Unreachable) ans Ziel zu senden.

Der Angriff funktioniert bei geringer Bandbreite, wir haben in eigenen Tests durchgeführt und konnten mit 1MBit/s ANgriffsvolumen, geroutet durch TOR, verwundbare Systeme lahmlegen, die mit 100MBit und mehr angebunden waren.

Das TDC SOC eines dänischen Telekommunikationsproviders, dass den Angriff entdeckt und anlaysiert hat spricht von 15MBit/s Angriffsvolumen, mit dem erfolgreich 1 GIbt-angebundene Firewalls angegriffen wurden.

Betroffene Devices:

  • Cisco ASA 5506, 5515, 5525 (default settings)
  • Cisco ASA 5550 (Legacy) and 5515-X (latest generation) - (see detailed test results)
  • SonicWall - Misconfiguration can be changed and mitigated
  • Palo Alto
  • Cisco Router 897
  • Zyxel NWA3560-N (Wireless attack from LAN Side)
  • Zyxel Zywall USG50

Notizen zu den Cisco-Firewalls:

Both legacy and X-series - all legacy models <= 5550 and at least on all <= 5525-X in NG - but impact varies. Confirmed on firmware 9.1 (legacy) and 9.4 (X-series). Most likely an issue on all firmware versions. icmp deny on interface does not properly mitigate, only reduce impact. External throttling seems to be only proper mitigation AFAIK. A pitiful 1Mbps flood of type 3 code 4 results in 6% CPU on 5550 and 31% CPU on 5515-X. NG seems to be more vulnerable to this. All contexts are affected if in multi-mode.

Anmerkungen von PaloAlto

Impact: 1) Palo Alto Networks Next-Generation Firewalls drop ICMP requests by default, so unless you have explicitly allowed ICMP in a security policy, your organization is not affected and no action is required. 2) If you have explicitly allowed ICMP in a security policy and have implemented our best practices for flood protection, your organization is not affected and no action is required. 3) If you have explicitly allowed ICMP in a security policy and have not implemented our best practices for flood protection, your organization’s firewalls may experience higher CPU and memory usage, which may slow down the firewall’s response.

NICHT betroffen

  • Iptables (Netfilter! - thx Martin ;-)) (even with 480 Mbit/sek) don't care - LOVE LINUX!
  • OpenBSD 6.0 and current
  • Windows Firewalls
  • pfSense

Referenzen