Slash Boxes

SoylentNews is people

posted by janrinok on Tuesday November 15 2016, @01:54AM   Printer-friendly
from the for-sale:-random-name-generator,-hardly-used dept.

A code artefact in a number of popular firewalls means they can be crashed by a mere crafted ping.

The low-rate "Ping of death" attack, dubbed BlackNurse, affects firewalls from Cisco, SonicWall, Zyxel, and possibly Palo Alto.

Since we don't imagine Switchzilla has started giving away the version of IOS running in its ASA firewalls, Vulture South suspects it arises from a popular open source library. Which means other vulnerable devices could be out there.

Unlike the old-fashioned ping-flood, the attack in question uses ICMP "Type 3, Code 3" (destination unreachable, port unreachable) packets.

In the normal course of events, a host would receive that packet in response to a message it had initiated – but of course, it's trivial to craft that packet and send it to a target.

In devices susceptible to BlackNurse, the operating system gets indigestion trying to process even a relatively low rate of these messages – in the original report from Denmark's TF-CSIRT, gigabit-capable routers could be borked by just 18 Mbps of BlackNurse traffic on their WAN interfaces.

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Interesting) by Snotnose on Tuesday November 15 2016, @01:58AM

    by Snotnose (1623) on Tuesday November 15 2016, @01:58AM (#426806)

    Writing a wireless network device driver pre 802.11g, ran across this vulnerability, and wrote code to avoid it. I don't remember the details, but it wasn't anything that impacted my schedule.

    Kinda retired now, should I triple my rates and advertise myself as a common sense implementer?

    God gives his toughest battles to his strongest soldiers. I am not one of them, please make it stop.
    • (Score: 2) by WizardFusion on Tuesday November 15 2016, @12:34PM

      by WizardFusion (498) on Tuesday November 15 2016, @12:34PM (#426926) Journal

      a common sense implementer

      In today's world, sadly that is a very rare commodity.

      • (Score: 2) by Hyperturtle on Tuesday November 15 2016, @02:28PM

        by Hyperturtle (2824) on Tuesday November 15 2016, @02:28PM (#426964)

        hmm 23 years ago would cut it close to Windows 95's use (being released Aug 24th in 1995 I believe); Novell was still king of network protocols in the Windows 3.11 era. What did you know of in the TCP/IP stack at the time that would have effectively patched what was academic protocol in most enterprise environments, provided they were using Ethernet and not 802.5 or a similar topology with IPX as the layer 3 method of communication?

        Or perhaps that is too granular and I need coffee and snotnose is discussing the ping of death or a related malady?

        Large ICMP packets are still useful for testing bandwidth and troublesome links; that power was mostly taken away from the plebs though... unless you have an old OS, network hardware has to be used to send "extended" ICMP traffic where the size or content can be adjusted as needed. Still causes trouble when done wrong or ineptly, though!

        This problem is more about the abuse of a regular feature that can tie up old harwdare and essentially crash them, like most typical hardware for firewalls released between 2006 and 2012 or so -- pentium 4 era up to right before the multicore era in network edge hardware. (I guess the ping of death was the abuse of a regular feature, too)

        That said, Snotnose, you should come out at night and fight for the forces of good in proactively protecting against this stuff via the release of small free applications posted to various places that count, so people that also are aware of it can help protect against it. (of course, it is hard to run an application on edge network hardware directly to protect against something like this--the app presumably would protect a computer/server host as opposed to a network appliance.)

        • (Score: 3, Interesting) by Snotnose on Wednesday November 16 2016, @03:49AM

          by Snotnose (1623) on Wednesday November 16 2016, @03:49AM (#427346)

          My bad, it was more like 15 years ago. The key should have been "before 802.11g', my startup's entire being was based on our protocol being established first.

          To be clear, I did not think of this myself. Probably heard about it on /., given the era and the websites I read at the time. But once I heard about it it was pretty easy to defend against it.

          My startup's chip sucked up too much power, they went bankrupt before they could do another chip spin, and their early investor (Samsung) bought them for pennies on the dollar.

          Ever see that commercial about taking your TV from the living room, to the bedroom, to the pool? That was my startup's technology. It worked, it just took too much power and the company ran out of money before they could fix that.

          Actually, being honest, that company was a rats nest. They had a habit of laying off people who were about to vest some stock options. That happened to the guy who got me the first interview there. That got one of the guys who interviewed me, he'd been there 3 years (one of the first employees), was one of the most knowledgeable folks I could talk to when I had a question. They used to have mandatory Friday 5 PM company meetings, where the inner sanctum would wander the crowd and note who was and was not there.

          Magis Networks, you sucked a huge bag of dicks and everyone who lost money in you I can only say HA HA.

          / Ahh, alcohol. Is there anything you can't do
          // name names, Magis was the worst place I ever worked
          /// Good people, great tech, seriously fucked up upper management

          God gives his toughest battles to his strongest soldiers. I am not one of them, please make it stop.
  • (Score: 1) by nobu_the_bard on Tuesday November 15 2016, @02:30PM

    by nobu_the_bard (6373) on Tuesday November 15 2016, @02:30PM (#426967)

    I took a couple of minutes and looked at the links. I forgot to look for the justification for that silly name. This page explains how to test: []

    People are saying pfSense firewalls aren't affected; I didn't test mine yet. The problem is how the Cisco firewalls and related devices/softwares process these specific packets, causing all resources to be used. Higher powered firewalls are not as easily affected.

    It seems this has been around for awhile but not seen heavy use? It's not really "new" in any case.

  • (Score: 0) by Anonymous Coward on Tuesday November 15 2016, @11:34PM

    by Anonymous Coward on Tuesday November 15 2016, @11:34PM (#427272)

    It was a buffer overrun in *nix that didn't expect windoze boxen to send pings that didn't conform to specs.