Your network is doing so much more than just connecting your schools’ or libraries’ devices. It’s delivering high-stakes online assessments to students. It’s operating your payroll. It’s enabling your VoIP phone system to contact 911 in an emergency. It’s coordinating transportation. It’s providing personalized learning opportunities and preparing future generations.
Protecting your network is more than network security; it’s ensuring learners and leaders have the security, operational, administrative, and instructional tools they need when they need them.
Flying under the radar and wreaking havoc on your network
When you think about distributed denial of service (DDoS) attacks, you typically envision a flood of network traffic purposefully designed to crash your system. Those types of the security breaches are quickly becoming yesterday’s news with today’s attackers finding faster ways to infiltrate an organization’s network. A new type of DDoS threat has emerged that only requires a small amount of traffic, potentially from a single device, to wreak havoc on your system.
Attacking weaknesses in your security system where you’d least expect it
This new attack has a unique set of super powers. It works to quietly target specific firewalls with random ICMP Code 3 port unreachable error messages, overloading network CPUs and causing packets to begin dropping (NS.com) while only using a modest amount of bandwidth (i.e., less than 20Mbit/s) (TDC-SOC-CERT).These destination unreachable ICMP messages are consuming significantly more resources on some firewalls compared to the more common ICMP Echo messages associated with the Ping command. This ICMP flooding method has been given the name “BlackNurse,” so named for the two analysts that identified the attack—one a former nurse, the other a former blacksmith (Netresec and TDC-SOC-CERT).
Disguised as harmless traffic
BlackNurse is sneaky and loves to play the “little ole innocent me” card. Networks beware…the impact can be significant for those that allow ICMP access to the firewall’s outside interface. Most firewalls are prepared for larger, more targeted attacks, but have seemingly ignored attacks like the BlackNurse in the past because of their infrequency and perceived minimum threat. Well, this tiny but mighty attack is becoming increasingly common and could soon be a force to be reckoned with, taking networks offline and leaving network admins perplexed.
Making the Sunday paper
At ENA, we’ve already seen BlackNurse attempt to launch seven attacks against a single customer in just one week. Luckily, all those attacks were mitigated by ENA before any harm could be felt by the customer. “These attacks are pretty scary because such a small amount of traffic can cause such a large utilization spike on a firewall, even if it’s only performing NAT translation for the attacked device. One attacking device with 20 Mbps of traffic can max out a firewall that is designed to pass 2 Gbps of stateful traffic,” says Education Networks of America’s Security Architect, Allen Hutton.
New threats emerge daily in network security. Cyber attackers are constantly looking for loopholes and new system weaknesses. Fortunately, there are some steps you can take to protect your network from BlackNurse’s detrimental impacts:
- Check to see if your device is vulnerable to the BlackNurse attack. Many leading firewall devices have been listed as potentially vulnerable without corrective configuration.
- If your firewall is vulnerable, or if you merely wish to prevent vulnerability, create zone-protection-profiles, DDoS rules with ICMP-flood settings enabled, or rate limiting on routers upstream.
ENA is working to ensure our broadband customers are protected by implementing rate limiting upstream to protect our customers’ firewalls against these attacks.ENA’s engineering teams are continually testing and developing new methods of discovering and mitigating threats in today’s ever-changing network security landscape. Through sophisticated traffic pattern analysis and strategically placed active policies designed to deny known attack vectors, ENA can limit attack traffic at the edge of our network.
More about ENA:
ENA is the leading provider of Infrastructure as a Service (IaaS) solutions to schools, higher education institutions, and libraries. ENA offers a full suite of connectivity, communication, and collaboration services including broadband, Wi-Fi/LAN, VoIP, video collaboration and web conferencing, cloud, and security solutions.
Our Internet access, firewall, WAN, network security, and content filtering services are designed to power learning, streamline operations, and protect your organization from detrimental security threats and attacks.