• Total Posts: 43049
  • Total Topics: 16230
  • Online Today: 5605
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

Author Topic: BlackNurse attack overwhelm firewalls  (Read 9231 times)

0 Members and 1 Guest are viewing this topic.


  • SCF Member
  • **
  • Posts: 14
  • KARMA: 2
BlackNurse attack overwhelm firewalls
« on: 30. December 2016., 17:40:19 »
BlackNurse was able to shut down some firewalls because the firewalls in question didn't have CPU resources to process the ICMP requests.

TDC Group, a Danish telecommunications company, discovered BlackNurse; it also identified smaller Cisco Adaptive Security Appliance firewalls as among the vulnerable products. The attack occurred when these firewalls had no more CPU resources to process a steady stream of low-volume Internet Control Message Protocol (ICMP) requests. When Cisco was told about the attack, it didn't classify it as a security issue, as the attack was not on the Common Vulnerabilities and Exposures list. It was mentioned in a CERT-EU Security from November 14, 2016, but there was no US-CERT alert.

BlackNurse, however, is a security issue. It takes advantage of ICMP packets which are normally returned to ping sources for reply when the target's destination port is unreachable. TDC's security operations center found that the volume of the distributed denial of service (DDoS) traffic was very small. When the firewalls reached a threshold of 15-18 Mbps, BlackNurse sent a steady stream of 40,000 to 50,000 ICMP packets, which resulted some firewalls overloading (specifically, firewalls that used a single CPU).
Cisco permits all ICMP unreachable messages (Type 3), including the destination port unreachable messages (Type 3, Code 3). It recommends changing the firewalls' default configurations or fixing "defective" codes, but this is not a mitigation approach.

TDC recommends either rate limiting ICMP traffic on an upstream router or denying all incoming ICMP packets except for ICMP fragmentation packets (Type 3, Code 4). The exception is needed for path maximum transmission unit (MTU) discovery, which many operating systems depend on. The MTU size is determined to avoid IP fragmentation. If fragmentation occurs, IPsec traffic will not continue, and you will not be able to use a VPN.

Consider mitigating the BlackNurse vulnerability by upgrading to multiCPU firewalls, and make sure they are compatible with one another if they are from several different vendors. In addition, don't forget to update your set of DDoS mitigation tools.

Samker's Computer Forum -

BlackNurse attack overwhelm firewalls
« on: 30. December 2016., 17:40:19 »


  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum
Pal, thanks for the heads up. :thumbsup:


By the way, here are more information about this ICMP attack - including:

- Instructions for testing

- List of affected products

- List of NOT affected products

Samker's Computer Forum -


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising