Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 7239 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blacknurse protection

apijnappels

Since a couple of days the BlackNurse DDOS get a lot of attention on many security related blogs and other pages (see https://nakedsecurity.sophos.com/2016/11/15/blacknurse-ddos-attack-can-overload-firewalls-from-a-laptop/)

I have tested this internally by setting up a Linux machine in my internal network and then sending the command to the internal firewall interface IP. Almost immediately all internet traffic is broken. Sometimes a little bit of traffic is able to pass, but most of it gets lost.

The same happens when I send the same command to another UTM over the internet, that is my local internet connection gets broken from another machine (Windows machine). I'm not sure whether the Linux machine executing the command is simply overflowing my switch or that the local UTM is impacted, but it seems it is the UTM since when I send the same command to my network attached printer, my internet connection stays up perfectly fine.

I don't know whether or not the other side is impacted by me giving the command, since I dare not test this when there's anyone working on site and since I simply loose all my own internet connection, I cannot test this from my own connection LOL.

The traffic does get logged (and a lot (understatement) is getting logged, so that may be the reason my own firewall is failing) these are all loglines like these:

2016:11:15-23:00:18 utm ulogd[14416]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="64:31:50:9d:0e:2f" dstmac="ac:22:0b:4f:3d:41" srcip="192.168.11.119" dstip="192.168.11.1" proto="1" length="56" tos="0x00" prec="0x00" ttl="64" type="3" code="3"

 

That is exactly the ICMP type 3 code 3 that is getting sent by the tool. 

Usually my firewall log at home is about 200 - 500 KB each day, but todays one is already over 1GB with only short amounts of running this tool :O

Now my questions:

Can we prevent (or only log the first 100 packets or so) the UTM logging this type of traffic so the local firewall doesn't simply overload (I assume that must be the case)?
Can we prevent this kind of traffic from travelling the firewall at all both outgoing and incoming?



This thread was automatically locked due to age.
  • 0

    Everything I have read has indicated that linux/iptables is not susceptible to this attack.  The attack typically causes high CPU usage on the firewall and that is the cause of the packet loss as the firewall is too busy to process more traffic.  I am not saying you did not find something, but based on my understanding and research, you are not seeing Blacknurse as described.  I have done a lot of my own testing and did not see the behavior you are describing (I just used hping to generate crafted packets, what did you use?).

  • 0 in reply to darrellr

    I also used hping (hping3):  hping3 -1 -C 3 -K 3 -i u20 <ipaddress>

     

    What I did see was that using this command to my own firewall interface, there is so so much blocked traffic that the UTM seems to be too busy writing them all to the logfile. The logfile grows to 1GB in just a few seconds. (My UTM doesnt have an SSD btw).

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    So it is not susceptible to Blacknurse, but in your instance, any flood of blocked traffic will cause your UTM to quit responding (ICMP is covered under Advanced Threat Protection Anti-DOS/flooding).  Do you have that enabled?  Is it set for limited logging?

  • 0 in reply to darrellr

    ICMP flooding was indeed not enabled, while the others were enabled with limited logging. I have now enabled it. Will check again what happens now (hopefully tomorrow).

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Unfiltered HTML