Since a couple of days the BlackNurse DDOS get a lot of attention on many security related blogs and other pages (see https://nakedsecurity.sophos.com/2016/11/15/blacknurse-ddos-attack-can-overload-firewalls-from-a-laptop/)
I have tested this internally by setting up a Linux machine in my internal network and then sending the command to the internal firewall interface IP. Almost immediately all internet traffic is broken. Sometimes a little bit of traffic is able to pass, but most of it gets lost.
The same happens when I send the same command to another UTM over the internet, that is my local internet connection gets broken from another machine (Windows machine). I'm not sure whether the Linux machine executing the command is simply overflowing my switch or that the local UTM is impacted, but it seems it is the UTM since when I send the same command to my network attached printer, my internet connection stays up perfectly fine.
I don't know whether or not the other side is impacted by me giving the command, since I dare not test this when there's anyone working on site and since I simply loose all my own internet connection, I cannot test this from my own connection LOL.
The traffic does get logged (and a lot (understatement) is getting logged, so that may be the reason my own firewall is failing) these are all loglines like these:
2016:11:15-23:00:18 utm ulogd[14416]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="64:31:50:9d:0e:2f" dstmac="ac:22:0b:4f:3d:41" srcip="192.168.11.119" dstip="192.168.11.1" proto="1" length="56" tos="0x00" prec="0x00" ttl="64" type="3" code="3"
That is exactly the ICMP type 3 code 3 that is getting sent by the tool.
Usually my firewall log at home is about 200 - 500 KB each day, but todays one is already over 1GB with only short amounts of running this tool :O
Now my questions:
Can we prevent (or only log the first 100 packets or so) the UTM logging this type of traffic so the local firewall doesn't simply overload (I assume that must be the case)?
Can we prevent this kind of traffic from travelling the firewall at all both outgoing and incoming?
This thread was automatically locked due to age.