Software Integrity Blog


DDoS attack, BlackNurse, uses ICMP

Criminal hackers with limited resource can defeat firewalls with a new attack.

Dubbed BlackNurse by the Denmark-based TDC Security Operations researchers who first found it, the attack allows volumes of as little as 15 megabits, or about 40,000 packets per second, to bombard sites with volumes approaching or exceeding 1 terabit per second. It uses Internet Control Message Protocol (TCMP) Type 3, which routers and other networking devices use to send and receive error messages. Once the attack reaches a threshold of 15 mbps to 18 mbps, the targeted firewalls drop so many packets that the device effectively drops off the Internet.

The researchers wrote in their blog “The BlackNurse attack attracted our attention, because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers’ operations down. This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack.”


More by this author