TDC-SOC – Possible BlackNurse attack from external source 3,3
This Snort rule is specifically crafted to detect ICMP packets with the specific type and code associated with BlackNurse attacks. The BlackNurse attack is a form of denial of service attack based on ICMP flooding. The attack is special because a modest bandwidth of 20Mbit/s can be effective for disrupting a victim's network. If a packet matches these criteria and meets the threshold defined by the detection filter, the rule triggers an alert that can indicate of an existance of the virus within the network.
ID Number
5020103
Signature
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"TDC-SOC – Possible BlackNurse attack from external source 3,3"; itype:3; icode:3; detection_filter:track by_dst, count 250, seconds 1; reference:url,soc.tdc.dk/blacknurse/blacknurse.pdf; metadata:18032016; classtype:attempted-dos; sid:5020103; rev:2;)
MITRE ATT&CK Technique
"Endpoint Denial of Service(T1499)" "Network Denial of Service(T1498)"
Severity
High
Recommendations/Investigative actions
Identify the source and destination, check If the communication is authorized. Since the attack is based on ICMP flooding it's recommended to block ICMP from external IP's. In addition it's recommended to look for a relevant cyber attack alerts on the same time\on the same IP's to make sure there isn't bigger event on going. If the source is an Internal IP it's recommended to check the service that has initiated the ICMP traffic and make sure there is nothing malicious running on the machine.