New Version of DDoS Increasing CISO’s Blood Pressure
Generally, as evidenced by recent attacks, with a DDoS attack mass packets are sent to the target. These may be sent from a bot army or IoT consumer device. With these, the rule of thumb has been the bigger the better, as a few targets have unfortunately found out with the 1.2T/s second recent attack. With these recent attacks the IoT devices used were the webcams and other devices in the consumer’s home. These simple devices created the largest recorded attacks to date. The new DDoS attack has been termed BlackNurse and works with the Internet Control Message Protocol (ICMP). This has proven to be effective again firewalls.
Targets
Every business has a firewall in place to protect their enterprise. A DDoS attack has a distinct possibility to secure hours of work in the least to remediate. This attack is not targeted to all firewalls. This attack does however work well with a portion of the smaller Cisco system’s ASA firewalls. A possible target also would be the Palo Alto network firewalls. The limiting factor is this is not applicable when the ICMP Flood DoS is enabled. A misconfigured Sonic Wall firewall could be a target. This list is not all inclusive.
Attack Method
These attacks, the ICMP or ping flood attacks, are common but generally use a Type 8 Code, 0 attack. This malware uses an alternative method of attack. Instead of the typical DDoS attack where massive numbers of packets are sent, which requires a bot-army or consumer hijacked IoT devices. This, on the other hand, could be done from a laptop. The attacker has innovated the attack with using Type 3, Code 3 packets. There are 40k-50k packets/second with a traffic speed of 15-18 Mbit/second. This new focus is unusual in the nuance from the normal attack and this is slower than the usual ping flood.
In closing…
Attackers are always looking at new methods to achieve their goals, whatever these may be. The attack took the common staple of the DDoS attack and altered the attack point. Although this does not work well with every potential target and system, this has the distinct possibility of being traumatic for the target of the successful attack.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.