CISOs often worry about high volume distributed denial of service attacks (DDoS) using Webcams and other consumer Internet-connected devices to stall business operations. However the security operations centre of TDC Group, Denmark’s main telecom provider, has cautioned some firewalls can be overwhelmed by a new variant of an Internet Control Message Protocol (ICMP) attack.
In a paper issued last week TDC Group’s security team said the technique, which they dubbed ‘BlackNurse’, use type 3(destination unreachable) code 3 (port unreachable) packets to launch an attack of 40 to 50K packets per second with a traffic speed of 15-18 Mbit per second. This is different — and slower — than a traditional ICMP ping flood attack. But, the report says, it is still effective in overwhelming CPUs on some firewalls trying to process ICMP errors.
“Based on our research, this vulnerability or misconfiguration of some firewalls is easy to misuse,” says the report. “Impact can be high for those that allow ICMP to the firewall’s outside interface, and they could be easy targets for the BlackNurse attack as we have seen in TDC’s network. Having high bandwidth is no guarantee that this DoS/DDoS attack will not work. Many firewall implementations handle ICMP in different ways, and different vendors can be subject to attacks. Distributed attacks from larger botnets can be a major problem, because botnets which are located on low bandwidth uplinks can come into play.”
The TDC report says some models of Cisco Systems’ ASA firewalls are vulnerable. Sweden’s Netresec AB, a network forensics company which helped in the TDC research, said in a blog that firewalls from Palo Alto Networks could also be affected unless ICMP Flood DoS protection is enabled, as well as firewalls from SonicWall (if misconfigured) and from Zyxel.
UPDATE: After this story was published SonicWall issued a statement saying the Netresec report is incorrect. The company says it worked with TDC in September on this issue and tests show that with normal ICMP flood protection on the SonicWall firewall is not vulnerable.
TDC security researchers have created a SNORT rule for intrusion detection/prevention devices in their report to detect the attack, although the default timing may have to be adjusted to what is normal for each organization’s firewall.
Note that while TDC researchers have seen an increase in this type of attack, Johannes Ullrich, head of research at the SANS Institute said in a post that “this is not a big deal.” Cisco doesn’t think this is a security issue, he pointed out, and there is no CVE (common vulnerabilities and exposures) number issued. Users of smaller Cisco ASA firewalls are vulnerable, but networks with newer and/or multi-core CPU versions “appear to be fine.” IPtables-based firewalls are not affected.
Still, infosec and network teams should monitor incoming ICMP unreachables, Ullrich says.