NetFort Advertising

Detecting BlackNurse attacks using Snort IDS

Blacknurse Attack

BlackNurse attack

Recently, Danish researchers at the Security Operations Center of telecom operator TDC uncovered a security vulnerability associated with many well-known firewalls. All it takes is for one computer to bring vulnerable Cisco, SonicWall, Palo Alto and Zyxel firewalls to their knees. More information can be found in the document they published on the BlackNurse attack.

This attack uses ICMP Type 3 “unreachable” messages, specifically ICMP Type 3 Code 3 “port unreachable” messages. Those ICMP messages can overload a firewall CPU and result in a DoS state.

Detecting BlackNurse attacks using Snort IDS

Snort is an open-source network intrusion detection system (NIDS) and is typically used to detect new and legacy threats. It has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks.  In intrusion detection mode, the Snort can monitor network traffic and analyze it against a rule set. The rules shown below can be used to detect BlackNurse attacks from internal and external sources.

Snort IDS Rules to detect signs of the BlackNurse Attack.

alert icmp $EXTERNAL_NET any -> $HOME_NET  any (msg:”TDC-SOC–Possible BlackNurse attack from external source”; itype:3; icode:3; detection_filter:track by_dst,count 250, seconds 1; reference:url,soc.tdc.dk/blacknurse/blacknurse.pdf; metadata:TDC-SOC-CERT,18032016; priority:3; sid:88000012;  rev:1;)

alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:”TDC-SOC–Possible BlackNurse attack from internal source”; itype:3; icode:3; detection_filter:track by_dst, count 250, seconds 1; reference:url,soc.tdc.dk/blacknurse/blacknurse.pdf; metadata:TDC-SOC-CERT,18032016; priority:3; sid:88000013;  rev:1;)

Detect BlackNurse Attacks On Your Network

Use the IDS and deep packet inspection engines of LANGuardian to detect the presence of BlackNurse attacks on your network. Real time and historical reports available.

Manually adding Snort Rules to LANGuardian

The LANGuardian security module includes the Snort IDS engine which enables real-time detection and alerting of malicious events that occur on your network. LANGuardian seamlessly integrates data from the IDS with traffic analysis data to provide an unprecedented level of visibility into activity on your network. While the LANGuardian IDS rule set is updated automatically, you can still manually add the BlackNurse signatures.

  1. Click on the gear symbol at the top right of the LANGuardian and select settings
  2. Within setting click on Local IDS Signatures
BlackNurse Snort IDS Signatures

3. Click on Add new signature and paste in one of the Snort rules shown above in this post.

4. Repeat the Add new signature step for the second Snort rule.

Once added to LANGuardian, you can detect the presence of BlackNurse attacks via the Top Network Events report. A event triggered by the internal rule is reporting that one or more clients on your network is generating  ICMP Type 3 Code 3 “port unreachable” messages which could be used to take down a firewall. You can click on the value within the total column to get the IP address and associated username of the problematic client(s).

Snort IDS detecting BlackNurse attack

Events triggered by the external rule report that one or more clients outside of your network are generating  ICMP Type 3 Code 3 “port unreachable” messages, which could be used to take down a firewall. You can click on the value within the total column to get the IP address problematic client(s) and block them if necessary.

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring,bandwidth monitoring, wire data analytics, network forensics to packet capture.