Tag Archives: cisco

New DDoS attack method called BlackNurse lets hackers take down firewalls and servers from a single laptop

Security researchers have discovered a new attack technique that requires less effort to launch large-scale attacks. A new DDoS attack method called BlackNurse has been discovered by security researchers, which allows hackers to launch large-scale attacks with less effort than is required for traditional DDoS attacks. BlackNurse also provides attackers with the ability to take down severs and firewalls with just a single laptop. According to researchers at TDC SOC (Security Operations Centre of the Danish telecom operator TDC), BlackNurse leverages low-volume ICMP (Internet Control Message Protocol)-based attacks to launch attacks capable of overloading firewalls and shutting them down. BlackNurse targets vulnerable firewalls made by Cisco, PaloAlto and others, in a “ping flood attack” reminiscent of those popular in the 1990s. TDC researchers said: “The BlackNurse attack attracted our attention, because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers’ operations down. This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack. “Based on our test, we know that a reasonable sized laptop can produce approx a 180 Mbit/s DoS attack with these commands.” Researchers at security firm Netresec, clarified how and why the new technique was dubbed BlackNurse, which according to the firm has caused “some confusion/amusement/discussion”. Netresec also cautioned about googling the term, which they claimed “might not be 100% safe-for-work, since you risk getting search results with inappropriate videos that have nothing to do with this attack”. Netresec said: “The term ‘BlackNurse’, which has been used within the TDC SOC for some time to denote the ‘ICMP 3,3? attack, is actually referring to the two guys at the SOC who noticed how surprisingly effective this attack was. One of these guys is a former blacksmith and the other a nurse, which was why a colleague of theirs jokingly came up with the name ‘BlackNurse’. However, although it was first intended as a joke, the team decided to call the attack ‘BlackNurse’ even when going public about it.” How does BlackNurse work? DDoS attacks ideally require a large volume of traffic to successfully cripple targets. Traditionally, large-scale attacks involve hoards of devices and numerous IP addresses working collectively to bombard a targeted server with massive volumes of traffic, in efforts to stop it from functioning. However, BlackNurse does not need an army of compromised devices; neither does it require high volumes of traffic. Instead, BlackNurse issues out low volume ICMP error messages to servers and firewalls, which can fairly easily overload the main processors, rendering them useless. ESET security researcher Mark James told  IBTimes UK:  “BlackNurse uses ICMP flooding to achieve its goal. ICMP is also known as Ping and is predominantly used to test the connectivity between two computers. An ICMP (ping) echo request is sent from one machine and awaits an ICMP echo reply from the receiving machine. “The time of the round trip is measured which would normally indicate how good the connection route is based on errors and or packet loss. If you take that same technology and send lots of requests without waiting for any replies, it’s possible to overload the destination server. It works two-fold, as often the receiving server will attempt to reply to the incoming requests and try to send replies thus increasing its activity and helping the initial attack. Also BlackNurse uses a different technique that is slower than traditional ICMP flood attacks utilising some firewall vulnerabilities or misconfiguration.” Mitigation for such an attack is possible. “Disabling ICMP Type 3 Code 3 on the WAN interface can mitigate the attack quite easily,” the TDC researchers said. “This is the best mitigation we know of so far.” Source: http://www.ibtimes.co.uk/new-ddos-attack-method-called-blacknurse-lets-hackers-take-down-firewalls-servers-single-laptop-1592214

Read the article:
New DDoS attack method called BlackNurse lets hackers take down firewalls and servers from a single laptop

BlackNurse Attack Lets Lone Computers Take Down Whole Networks

DDoS attacks generally rely on big numbers to get results. Hundreds of thousands of devices, millions of IP addresses all unleashing coordinated blasts of data at another device to bring it to its knees. A BlackNurse denial-of-service attack doesn’t need a massive army of zombies to be effective. The BlackNurse attack is much more efficient than the DDoS attacks that crippled security researcher Brian Krebs’ website and the DNS servers at Dyn. Some recent DDoS attacks have seen traffic peak at more than 1 Tbps. A BlackNurse attack has the ability to disrupt by sending just a fraction of that volume. As little as 21 Mbps can be enough to take down a firewall, according to security firm Netresec. What’s different about BlackNurse that allows it to inflict so much damage with so little effort? It’s the type of traffic it utilizes. BlackNurse directs Internet Control Message Protocol (ICMP) packets, which have been used in other DDoS attacks in the past. BlackNurse uses a specific type — ICMP type 3 code 3. An attack from a single laptop could, theoretically, knock an entire business offline, though it’s not likely to be a very  large  business. In their blog post, Netresec calls out firewalls made by Cisco, Palo Alto Networks, Sonicwall, and Zyxel as being at risk. Most of the devices Netresec reports as being vulnerable to a BlackNurse attack (like the Cisco ASA 5506 and Zyxel Zywall USG50) were designed for small office or home office use. That said, TDC, a Denmark-based company that offers DDoS protection services to businesses, has seen enterprise-grade gear impacted. “We had expected that professional firewall equipment would be able to handle the attack,” they wrote, adding that they’ve seen around 100 of these attacks launched against their customers. TDC also notes that BlackNurse has the potential to create a lot of havoc. In Denmark’s IP space alone they discovered 1.7 million devices that respond to the ICMP requests that the BlackNurse attack leverages. If even a small percentage of those 1.7 million devices are vulnerable, the effects of a coordinated, large-scale attack could be disastrous. And that’s just Denmark. Source: http://www.forbes.com/sites/leemathews/2016/11/14/blacknurse-attack-lets-lone-computers-take-down-whole-networks/#6d27bd961999

More:
BlackNurse Attack Lets Lone Computers Take Down Whole Networks

DDoS attacks up 149 percent as brassy booter kids make bank

Akamai report finds surge in weighty packets. The number of distributed denial of service attacks rose 149 percent in dying months of 2015 according to Akamai’s networking wonks.…

Continue Reading:
DDoS attacks up 149 percent as brassy booter kids make bank

Google punts freebie DDoS shield to hacks, human rights worthies

Reverse proxying traffic might save headaches Google has launched a free service to protect news websites against DDoS attacks.…

See the original article here:
Google punts freebie DDoS shield to hacks, human rights worthies

Does the Internet of Things need an indie security assessor?

Some in the IEEE reckon it’d be a good idea, before your toaster burns more than bread The Internet toaster that’s browning your crumpets, talking to its home servers, and participating in a ransomware-distributing botnet should get the kind of cyber-safety testing that it gets for physical safety.…

See the article here:
Does the Internet of Things need an indie security assessor?

Mobile ad network exploited to launch JavaScript-based DDoS attack

A type of DDoS attack that has until now been mostly theoretical has become reality: CloudFlare engineers have spotted a browser-based Layer 7 flood hitting one of its customers with as many as 275,00…

More here:
Mobile ad network exploited to launch JavaScript-based DDoS attack