New twist on DDoS technique poses threat to CSP networks

Posted By

SC Magazine


September 28, 2021

No Internet-connected device appears to be safe from potentially being abused by a newly theorized form of distributed denial of service attack that could be used to severely disrupt large communications service provider (CSP) networks and large enterprises. And with so many possible devices to abuse, researchers are warning this technique could “potentially take the cyberworld by storm.”

The DDoS technique, dubbed "Black Storm" by the research team at Nexusguard, involves actors employing the attack methodology known as BlackNurse, but adding a reflective element to it (rBlackNurse). BlackNurse attacks abuse ICMP (Internet Control Message Protocol) packet replies that network devices send in “Type3/Code3 response” situations in which the user’s intended destination port cannot be reached.

In a reflective version of this attack, adversaries intentionally send spoofed User Datagram Protocol (UDP) requests — which appear to come from the targeted victim’s network — to the closed UDPs computers, routers, servers and other CSP devices, to deliberately cause an ICMP Type3/Code3 response from said devices. Consequently, the network whose IP has been spoofed becomes inundated by these responses as more devices respond to the mimicked IP source.

“Reflected attacks… are difficult to block since the originators of the responses are not actually compromised systems and are simply responding to the errant request,” said Oliver Tavakoli, CTO at Vectra. “Black Storm is just the latest such variant… though when you find a network filled with devices which respond in the same predictable way, such an attack can certainly wreak havoc.”

Indeed, what makes Black Storm uniquely dangerous, say Nexusguard researchers, is that the technique is easier to pull off than traditional amplification attacks — which abuse DNS servers and other open services to generate fake traffic — because Black Storm can capitalize on any internet-connected device. Moreover, CSPs are reportedly not well-prepared to mitigate such attacks because their defense solutions are designed more around detecting inbound traffic, not internal traffic. And yet, “when attackers send UDP packets with spoofed source IPs to network devices, the rBlackNurse traffic rapidly starts to proliferate internally within the CSP network,” according to a white paper released on Tuesday by Nexusguard, which also published a blog post (through which a larger paper is available).

And it is this internal proliferation, which ultimately affects multiple devices within the same CSP network, that could make the attack especially devastating. It is this phenomenon through which rBlackNurse officially evolves into Black Storm.

“The underlying methodology of this attack is as old as DDoS itself," said Archie Agarwal, founder and CEO at ThreatModeler. “However, the interesting factor noted in this paper is that it seems CSPs may be susceptible to a ‘pinball effect’ within their networks, as the spoofed packets proliferate within the network itself. If this is true traditional DDoS network edge devices may not help once the packet penetrates the network.

“The size of each attack can vary between 100Mbps and 1Gbps, though the attack itself can become even more potent when mixed with other types of amplification attacks,” the white paper also notes. Therefore, CSPs or other targeted enterprises could find themselves overwhelmingly besieged with fraudulent generated traffic designed to effectively shut down their operations and affect their clientele.

In an email interview with SC Media, Nexusguard Research Manager Tony Miu noted that operations within the victimized network would resume normalcy once adversaries stop their attack. However, while the attack is ongoing, mitigation would be difficult for several reasons. For starters, said Miu, "The triggering UDP requests packet can vary. It can be a DNS request, NTP request, application request, null payload, and much more. Any attackers that have done the legwork to analyze a targeted CSP can generate non-filterable UDP requests to trigger it, bypassing any attempts to detect and/or mitigate the attack."

Also, "dealing with such an attack will require the CSP to have detailed understanding of its complex network environment such as baselines of protocol-mix-ratios for devices on its network and security policies for critical network devices (e.g., routers, switches, etc.)... Without, wrongfully placed mitigation measures will cause even more service disruptions." And finally, "failure to keep the triggers in check will result in legitimate reflection ICMP traffic to be generated from the internal devices, causing congestion. These ICMP messages are used to perform troubleshooting and communication; it's impossible to block [them] entirely."

Nexusguard offered several recommendations for how user organizations can batten down the hatches against this perhaps forthcoming Black Storm on the horizon, including investing in deep-learning-based solutions that can “discern and drop” malicious internal UDP traffic from normal traffic; applying access control mechanisms such as block and allow lists to routers; and scanning regularly for vulnerabilities, especially for any devices that reply to ICMP Type 3 Code 3 packets.

Ray Pompon, director of threat research at F5 Labs also offered some of his own guidance, advising that it’s “important to think zero trust in terms of network stacks since perimeters are opening up and organizations may carelessly put anything and everything online.”

But just how worried should CSPs and other organizations be, and how swiftly must they act?

“The paper itself notes this is ‘theorized’ based on an observation, and so we will have to wait to see if this is as potentially dangerous or feasible as the paper posits,” said Agarwal.

Indeed, for now, BlackNurse and rBlackNurse attacks have been witnessed in the wild, but a Black Storm attack has not yet occurred, to Nexusguard researchers' knowledge.