Firewall attack: How to stop BlackNurse

Christian Osterbrink, Alexander Sieber and Daniel Vollmer have analyzed the BlackNurse Attack. Conclusion: By tweaking a few settings the danger can be mitigated.
German version here >>


BlackNurse attackiert gezielt die FirewallOrdinary DDoS attacks (Distributed Denial of Service) are quite common these days: attackers overload a system or service, until legitimate requests cannot be processed any longer.

To accomplish this a botnet is commonly used, i.e. a net of computers that have previously been infected with malware that makes them susceptible to malicious remote controlling.

BlackNurse however is a certain kind of ICMP flood attack that works a bit differently.

Everything can be a weakness

Vulnerabilitys are a dime a dozen. With the rise of digitization the number of potential error sources is growing exponentially. These bugs and pitfalls can be used as gateways for compromise. Known vulnerabilities can be researched, eg through the MITRE [1]. Browsing the CVEs (Common Vulnerabilities and Exposures) reveals plenty of known and published weaknesses. Not all but certainly a lot of them are used by perpetrators – for example hijacking bunches of network devices for abuse as a botnet.

An illustrated example for the power of bots is the DDoS-attack on Dyn DNS carried out by botnet Mirai (more about it here). For this attack masses of IoT (Internet of Things)-devices were infected to form a botnet and abused for launching one of the most massive DDoS-attacks of all times.

Usually a successfull DDoS-attack is based on the principle of relentlessly overloading infrastructure. Another common method is utilizing software features or bugs to provoke system malfunctions. Achieving the common goal, a denial of service, becomes much easier that way.

The possible weaknesses may vary. Starting with internet access or the operating system all the way down to services offered by the host – everything is potentially vulnerable and susceptible to attacks.

BlackNurse explicitly attacks firewalls

A BlackNurse-attack works like this: the attack is based on the ICMP-protocol and instead of simply flooding the targeted network with ICMP-requests BlackNurse uses ICMP-Type3-Code3.

That makes sense: in most cases the attack moves undetected by common DDoS countermeasures. Up to now users with strong, large bandwidth connections deemed themselves save. But this kind of attack can take down even infrastructures that would withstand most conventional DDoS attacks. These infrastructures are usually protected by professional firewalling platforms. However these Platforms are exactly what BlackNurse is targeting.

Attack sequence

Most ICMP attacks are based on ICMP-Type9-Code0-packets, also known as ping-flood-attacks. While also beeing based on ICMP, BlackNurse uses ICMP-Type3-Code3-packets. Requirement for a successfull attack is the target system allowing ICMP-Type3-Code3 traffic. If so, even a common mediocre connection featuring 15-18Mbit/s is sufficient to broadcast the necessary 40000 – 50000 packets per second for effectively impairing the target system. The attack sequence is as follows:

  • high CPU-workload is stated on attached firewall systems
  • users/systems in the LAN behind the perimeter firewall can not receive nor broadcast any more packets from or to the WAN
  • subsequently the firewall stops processing any packets

After the attack has ceased, the firewall systems recover rapidly and resume normal operation. Unfortunately the attack requires very little technical skill to execute. Good news is, not all routers on the internet seem to process ICMP packets of Type3-Code3. Simply relying on that assumption is however not recommended.

Eventually the interesting question remains: How can I find out if my systems are vulnerable and what can I do about it if they are?

Are my systems vulnerable?

The effort needed to audit systems for this particular vulnerability is very limited. The following reqirements are sufficient:

  • productive firewall
  • testsystem connected to a LAN
  • testsystem connected to a WAN

First the required ICMP-Type3-Code3-packets are generated on the WAN testsystem using the tool hping3 and sent to the target system. If the tested system is suceptible to the attack an immense increase of CPU workload can be observed right away. Side effects may include the LAN testsystem not being able to sustain or reestablish communication through the defensive perimeter.

The necessary commands are:

hping3 -1 -C 3 -K 3 -i u20 dest-ip
hping3 -1 -C 3 -K 3 –flood dest-ip

The hping3 documentation can be helpful regarding questions about the parameter options. Considering the capability of the involved firewall it might be required to setup an accordingly powerful system for the attack.

All major firewalls affected

In order to assess the risk resulting from BlackNurse for our customers we have set up a testing scenario using Palo Alto Networks firewalls. The testing results were alarming:

  • an attack using hping3 with parameters -1 -C 3 -K 3 -i u20 dst-ip can fully load the dataplane up to 100% capacity while requiring little knowledge and hardware
  • the attack still works even when a firewall-policy prohibits ICMP
  • the attack still works even when traffic is routed through the Firewall
  • the attack still works even when the traffic is adressed to a firewall-interface
  • if the traffic is adressed to a firewall-interface, it is not considered a session and thus cannot be set to discard-state manually
  • the default zone values are set much to high and platform independent
  • the attack works both on hardware and virtual Palo Alto firewalls. However, virtual firewalls are more robust, provided they are assigned enough CPU time
  • values for ICMP-Flooding have to be restricted rigorously. A cut from 40000 to 2000 p/s has merely decreased the workload by 50% on a PA-200. Several parallel hping processes significantly increased the workload of the Data Plane again even under these conditions.
  • deactivating Discard ICMP embedded with error message (via Zone-Protection-Profil > Packet based attack protection > ICMP Drop) reduces the workload significantly (from 50% to 16% on a PA-200). However this causes certain ICMP packets not to be forwarded any more.

Considering these testresults we conclude: Presently every Palo Alto Networks firewall, that forwards ICMP-Type3-Code3 packets or receives them via an interface, is highly vulnerable to this attack! This vulnerability results from an overload of the data plane. Blocking ICMP-traffic on the firewall does not remediate the problem. The problem also persists independently of interface-management-profiles.

The admin-guide (for the current Version 7.1 here) recommends an accordingly realistic adjustment of the values. What can be considered realistic is highly due to the existing environment and may vary considerably.

First aid: Firewall-configuration to protect against BlackNurse

Our best practice recommendation is:

  1. creating zone-protection-profiles or DDoS rules with ICMP-Flood settings enabled
  2. we recommend using DDoS rules, as they can be adjusted with more precision than zone-protection-profiles
  3. Blocking of ICMP floods with one or more DDoS rules
    • creating rules with SRC and dest-zones to be protected
  4. creating a classified (per SRC-IP Adresse) DDoS-profile with enabled ICMP-flood (ensures that only the SRC-IP, causing the flooding is blocked).
  5. DDoS-Rule Action = Protect
  6. Best practice recommendation for several platforms:
    • PA-200 and PA-500
      • for internal zones (Alarm Rate 300PPS, Activate 400PPS, Max Rate 500 PPS, Duration 300s)
      • for external zones (internet bound) (Alarm Rate 100PPS, Activate 150PPS, Max Rate 200 PPS, Duration 300s)
    • PA-30xx and PA-50xx
      • for internal zones (Alarm Rate 500PPS, Activate 1500PPS, Max Rate 2000 PPS, Duration 300s)
      • for external zones (internet bound) (Alarm Rate 250PPS, Activate 500PPS, Max Rate 750 PPS, Duration 300s)
  7. activate the option Discard ICMP embedded with error message, if it is not imminently required by the system

These best practice values are realistic and tested under labconditions and on real-world systems. They serve to significantly complicate an attack and guarantee sufficient performance on the dataplane

As already stated these values do still depend upon the firewall environment (e.g. the normal DP- workload) and the useage of the ICMP protocol, eg for monitoring. Systems involved here might have to be excluded from the protection measures by additional DDoS rules.

After configuring the system according to these recommendations a firewall is affected much less by an attack based on BlackNurse, while the effort to launch the attack is significantly increased.

During an ongoing attack it might be worth considerung to establish an effective blocking of ICMP traffic of the specific packet type through the routers of the ISP. This would stop the packets before they even reach the perimeter defence.

We also recommend setting the DDoS profiles for internal zones, just in case.

If you need further assistence do not hesitate to use the contact form!


  1. The MITRE Corporation is an organisation running research institutes in service of the United States. It used to be a branch of the Massachusetts Institute of Technology (MIT). The nonprofit organisation serves as a central and neutral platform for vulnerabilities.

Links:
https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/
https://tools.ietf.org/html/rfc2780
https://tools.ietf.org/html/rfc792
http://soc.tdc.dk/blacknurse/blacknurse.pdf
https://de.wikipedia.org/wiki/Denial_of_Service
http://researchcenter.paloaltonetworks.com/2016/11/note-customers-regarding-blacknurse-report/
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os

Image: ©iT-CUBE SYSTEMS AG 2016