Researchers Prove One Laptop Can Kill an Entire Internet Server

by Stephanie Faris on Monday, December 05 6:00

When a popular site crumples under the strength of an attack, people usually envision a team of mastermind hackers taking it offline. However, a new research study found that just one laptop could take down an entire website using an attack technique called BlackNurse. The threat affects some of the most popular server types in the industry today, including Cisco and SonicWall.

A team at the TDC Security Operations Center discovered that a hacker could send a series of specialized packets that overwhelm a server and take it down. This technique can work even on a high-capacity server, making it a serious danger to any business that relies on a website to interact with customers. By understanding more about BlackNurse, businesses can begin to take steps to protect their online presence.

How It Works

The Danish operations center noticed that a certain type of ICMP attack was able to flood a network even if the hacker was using a low level of bandwidth. The team conducted a variety of tests to determine how the attack worked, the details of which are posted here. Once a server reaches a certain bandwidth, it begins dropping packets, eventually going offline altogether.

The team noticed that because of the way the attack is designed, a single laptop with a minimal bandwidth of 15 Mbps could deliver a BlackNurse attack of as much as 180 Mbps. In tests, the attack effectively sailed past firewalls from Cisco, Palo Alto Networks, SonicWall, and Zytel. Cisco is aware of BlackNurse but doesn t classify it as a security issue despite the fact that its ASA 5515 and 5525 firewalls have been identified as vulnerable. It s important that businesses running affected equipment be aware of BlackNurse so they can take measures to protect their network infrastructure.

The Solution

For Cisco server owners, the best solution appears to be setting a rate limit on ICMP traffic at the router level. Server administrators can also upgrade the Cisco ASA to a version that has multi-core CPUs. For other device owners, tweaking ICMP traffic rules is a first line of defense. Palo Alto Networks released a statement that the attack only affects a small percentage of its device owners. The company recommends implementing ICMP Flood Protection within the provided Zone Protection software.

If your website is affected by a BlackNurse attack, the good news is that it isn t permanent. Experts say the firewall fully recovers once the attack is complete. All too often, experts have found that the attacks affect servers with incorrect configurations. Administrators can protect themselves by examining those configurations, setting up their firewalls to block ICMP Type 3 messages, and putting professional anti-DDoS services in place to protect the network against this type of attack.

Networks face ongoing risks as hackers continue to find new ways to wreak havoc. Security administrators can stay ahead of these threats, though, by remaining alert for any new warnings. They can also invest in high-quality anti-malware tools and upgrade firewalls on a regular basis. While this won t guarantee against an attack, it can dramatically reduce the risks.