Researchers from the Danish telecom firm TDC have claimed that attackers have been using ICMP ping floods to carry out Denial of Service (DoS) attacks capable of removing enterprise firewalls.
As opposed to standard DDoS attacks, the attacker does not have to use a multitude of hacked devices to accomplish the attack. It can actually be done using just one laptop computer. Moreover, the standard security measures put in place to limit traditional DDoS attacks, e.g. provisioning extra bandwidth, are not effective against this form of attack.
The new technique, known as BlackNurse, is an Internet Control Message Protocol (ICMP) attack which, researchers state, uses type 3 (destination unreachable) code 3 (port unreachable) packets. Attacks of between 40K – 50K packets per second with a traffic speed of approximately 18 Mbit per second are all that is required in order to carry out a successful attack. Such basic requirements mean that it is feasible to realise an attack of this kind using a single laptop computer.
The said attacks use ICMP Type 8 Code 0 packets. These packets consume a large portion of CPU resources which allows the firewall to be overwhelmed. A spokesperson from TDC’s Security Operations Center has advised that during and attack, users from the LAN side will be unable to send or receive traffic to and from the Internet. TDC confirm further that all firewalls that they have seen to date have recovered after the attack has stopped.
According to TDC, Cisco Systems’ Adaptive Security Appliance firewalls are vulnerable to these forms of attack when in their default configuration (when they are configured so as to permit ICMP Type 3 messages). Other firewalls may also be open to attack should they not be correctly configured or if particular security protections have been turned off. TDC has stated that a number of SonicWall, Zyxel Communications, and Palo Alto Networks next generation firewalls could possibly be taken down by this genre of attack.
The TDC researchers claim that the impact may be high for those users who allow ICMP to the firewall’s outside interface, and that they could easily become targets for the BlackNurse attack, such as was seen in TDC’s network. They warn that having high bandwidth is no guarantee that an DoS/DDoS attack will be unsuccessful.
TDC further advises that disabling ICMP Type 3 Code 3 on the WAN interface could mitigate the attack relatively simply. Presently this is the best option available for mitigating this form of attack.
Users of smaller Cisco ASA firewalls are warned that they are particularly susceptible to this genre of attack, however TDC states that networks with multi-core CPU versions have thus far appeared to be fine and that IPtables-based firewalls are unaffected.