A well-known aspect of criminals in any space is that they are unpredictable. They look for holes and vulnerabilities in systems and try to use them to their advantage. Security systems, therefore, have to be architected in a way that assumes attack unpredictability.
A new threat emerging on the horizon is called BlackNurse DDoS attack. Fortinet protects organizations against this content based protection, with the IPS signature "BlackNurse.ICMP.Type.3.Code.3.Flood.DoS", as well as with behavior-based protection through our FortiDDoS technology. With FortiDDoS deployed, an unpredictable attack like this can be easily thwarted without any prior knowledge and planning by a security administrator – the device and its suggested implementation approach automatically protects you from such attacks even without having a signature.
The ICMP protocol is a commonly used protocol on the Internet. This protocol is used primarily to report diagnostic information and error messages. Besides that, it is used for ensuring connectivity in SSL, VPN, and High Availability (HA) deployments between nodes. The protocol is very similar to TCP and UDP in its implementation, in that it uses types and codes (similar to ports used by the sockets for the exchange of information between two end points on the Internet). There are 256 types and 256 possible codes, which are assigned by IANA for different purposes. A few examples of ICMP protocol variations that most network engineers know include:
Figure 1. Black Nurse DDoS logo
A Danish company recently discovered several low-volume DDoS attacks leveraging ICMP traffic against some of its clients. This attack is called BlackNurse, and it is a DDoS attack that leverages ICMP packets Type 3, Code 3. The attack causes some network equipment to overload the CPU with operations.
FortiDDoS appliances inspect packets using hardware logic from many perspectives. These include many layer 3, 4, and 7 parameters. For example, at layer 3 each and every protocol is classified and measured for rates. At layer 4, FortiDDoS inspects each and every TCP port, UDP port, and ICMP type and code in each direction, as well as each Service Protection Profile (SPP). At layer 7, it inspects HTTP packets for URLs, Hosts, User Agents, Referers, etc. And for DNS packets it continuously monitors metering queries, responses, query types, response types etc. This gives it the ability to baseline normal rates for each of these parameters. An attack may be cleverly crafted, but it will show up as a peak in one of the parameters if there is a similarity in the attack packets. Which is why an attack like BlackNurse suddenly showing up on ICMP type 3, code 3 will automatically be seen by the FortiDDoS hardware logic and immediately stopped.
A key advantage of the FortiDDoS architecture is that even if an attacker changes the script to another combination of these types and codes, it will still be stopped.
If your FortiDDoS-protected network doesn’t use ICMP type 3 and code 3 to communicate externally, hardware ACLs for ICMP type 3 and code 3 can be used to totally block this attack instantaneously without any performance penalty on the traffic. You can use similar ACLs for any unused protocolos and services.
FortiDDoS allows you to baseline traffic and recommends thresholds based on your actual traffic. It is expected that the traffic on these rarely used protocols and services is normally very low. The appliance’s System Recommendation setup will therefore keep low thresholds for these rarely used protocols. When an attack such as BlackNurse is launched,then, a spike will be seen outside the normal range and automatically stop the attack.
The Fortinet team will continue to monitor this new DDoS variant, and provide additional information about identifying and stopping it as soon as that data becomes available.