topic Re: BlackNurse Denial of Service Attack in General Topics

BlackNurse Denial of Service Attack

Dulle — Fri, 11 Nov 2016 07:02:22 GMT

http://www.netresec.com/?page=Blog&month=2016-11&post=BlackNurse-Denial-of-Service-Attack

Has anyone here tested the effect of this on any PAN-devices ?

http://blacknurse.dk says:
LIST OF REPORTED AFFECTED PRODUCTS :
Cisco ASA 5515, 5525 (default settings)
Cisco ASA 5550 (Legacy) and 5515-X (latest generation)
SonicWall
Some unverified Palo Alto

Can't find any more info on what PANs

Re: BlackNurse Denial of Service Attack

paul.stinson — Sun, 13 Nov 2016 22:46:49 GMT

Tested here on internal interface just with Anti-spoofing and no Flood protections.

It would be nice to test in time with our lab on an interface that has the icmp flood protection options on.

Full dataplane shutdown after about 30secs on a 5050

Had to reboot firewall as well to recover as dataplane restart also would not fix.

case logged with Palo about mitigation or code release steps.

Re: BlackNurse Denial of Service Attack

spiromruen — Mon, 14 Nov 2016 00:50:06 GMT

Note to Customers Regarding BlackNurse Report

http://researchcenter.paloaltonetworks.com/2016/11/note-customers-regarding-blacknurse-report/

Re: BlackNurse Denial of Service Attack

rlowe_mfnsec — Wed, 16 Nov 2016 18:06:37 GMT

I'm still trying to figure out how this attack is possible if the PaloAlto doesn't have a session associated with the attack traffic. In order for the PA to allow ICMP Type3, Code3, it would have to be associated with an Echo-Request in order to build a session. if there is no session, the PA should silent drop the traffic.

Am I correct or is there something I am missing?

Re: BlackNurse Denial of Service Attack

bspilde — Tue, 06 Dec 2016 18:43:57 GMT

https://live.paloaltonetworks.com/t5/General-Topics/BlackNurse-Denial-of-Service-Attack/m-p/125760/highlight/true#M46455

When testing an attack at a rate of about 6Mbps (all I could get out of my old Ubuntu box) with hping3 -1 -C 3 -K 3 --flood <target ip>, I saw an increase of about 10% CPU on a PA-3020. It was high enough PPS rate that it triggered a drop following the PA recommendation for a 3020's max ICMP PPS of 8000 but had an activate a little lower than 8000. As stated in my above post, it caused severe problems on the network I was originating the attack from.