Detecting the BlackNurse DDoS Attack with Network Monitor

The security operations center (SOC) at Danish telecoms operator TDC recently published a report with regards to an ICMP based DoS/DDoS style of attack.

This attack effectively makes use of ICMP type 3 and code 3 crafted packets to drain CPU resources of certain firewalls, causing them to overload and shut down. This zero-day attack has been dubbed “BlackNurse” by TDC.

TDC and NETRESEC did a great job at documenting the test scenarios. So, in the spirit of proactive defence, I thought it was a good idea to see how this type of attack would look within LogRhythm Network Monitor Freemium.

Proactive Defence of BlackNurse

After reproducing the BlackNurse attack in a controlled environment, the first thing I sought to find out was how I could see indicators of a breach within the Network Monitor interface. Fortunately, there are many pre-configured dashboards, searches and visualizations included in Network Monitor to help me get started.

To start off, I opened the “Top Applications By Duration (histogram)” visualization. Here I could see that there was a ICMP session that had been running for 1 minute and 49 seconds. If I didn’t know what I was looking for, the ICMP session time wouldn’t be necessarily suspicious nor surprising.

Click on images to view larger

Figure 1: Top Applications By Duration Visualization

Figure 1: Top Applications By Duration Visualization

Red flags began to pop up after looking at the “Top Application by Bandwidth (pie)” visualization. A quick drill down into a different two-minute ICMP session revealed approximately 24 MB worth of packets were sent within the time period. For most networks, this volume of data far exceeds what I normally would expect from ICMP traffic, from both operational and security perspectives.

Legitimate ICMP traffic (e.g., simple ICMP ping requests used for network troubleshooting) typically only transmits small packets. In fact, if a continuous ping was running in Windows using default settings, for the same duration of time, the total bytes would not even reach 1 MB!

This type of excessive traffic in quick succession could be indicative of an ICMP-based attack, such as ICMP flooding, Smurf attack, ping of death, or ICMP protocol misuse to hide data and general DoS attacks.

Figure 2: Top Application by Bandwidth Visualization

Figure 2: Top Application by Bandwidth Visualization

Another visualization called “Top Applications by Packet Count” got my attention, because it showed a large amount of ICMP traffic, taking up 93% of all total packets received during a 15-minute period. This was definitely worthwhile investigating, because when compared to different time intervals, this percentage of ICMP traffic was outside of the norm.

Figure 3: Top Applications by Packet Count Visualization

Figure 3: Top Applications by Packet Count Visualization

From the previous visualization’s metadata, I did a little digging, and I was able to determine the attacker’s IP. From there, I took the IP and used the simple Lucene search query syntax to narrow the sources of the excessive ICMP traffic down to our test host used to initiate the BlackNurse attack.

Figure 4: Search Query Syntax Results

Figure 4: Search Query Syntax Results (Click on images to view larger.)

With just a click I was able to easily view the session information in the time around the simulated attack. Here I was able to quickly retrieve the PCAP file from Network Monitor and view the ICMP packets in closer detail.

Figure 5: Downloaded PCAP File from the NetMon Session Information

Figure 5: Downloaded PCAP File from the NetMon Session Information (Click on images to view larger.)

Know this is a crucial step in the forensics and incident response process. Being able to dig deep into the lower layers and obtain the relevant PCAP (packet capture) file related to the session in question, will help to draw further conclusions about this suspect ICMP traffic.

There we have it: BlackNurse in action. Now that you know a bit more about the attack vector, you are better prepared to defend against similar DoS/DDoS attacks.

If this were a real incident, Network Monitor would have been invaluable in detecting indicators of the BlackNurse Attack. The tool would have allowed any analyst to see suspicious traffic, drill in to it and draw conclusions fast, all while using pre-built visualisations!

If you’re not already monitoring your network, you can use Network Monitor Freemium to get started.

Try NetMon Freemium.

More like this