BlackNurse Denial of Service Attack

Reply
Highlighted
L2 Linker

BlackNurse Denial of Service Attack

http://www.netresec.com/?page=Blog&month=2016-11&post=BlackNurse-Denial-of-Service-Attack

Has anyone here tested the effect of this on any PAN-devices ?

http://blacknurse.dk says:
LIST OF REPORTED AFFECTED PRODUCTS :
Cisco ASA 5515, 5525 (default settings)
Cisco ASA 5550 (Legacy) and 5515-X (latest generation)
SonicWall
Some unverified Palo Alto

Can't find any more info on what PANs

Highlighted
L1 Bithead

Tested here on internal interface just with Anti-spoofing and no Flood protections.

It would be nice to test in time with our lab on an interface that has the icmp flood protection options on.

 

Full dataplane shutdown after about 30secs on a 5050

 

Had to reboot firewall as well to recover as dataplane restart also would not fix.

 

case logged with Palo about mitigation or code release steps.

 

 

L4 Transporter

Highlighted
L0 Member

I'm still trying to figure out how this attack is possible if the PaloAlto doesn't have a session associated with the attack traffic. In order for the PA to allow ICMP Type3, Code3, it would have to be associated with an Echo-Request in order to build a session. if there is no session, the PA should silent drop the traffic.

Am I correct or is there something I am missing? 

Highlighted
L4 Transporter

https://live.paloaltonetworks.com/t5/General-Topics/BlackNurse-Denial-of-Service-Attack/m-p/125760/h...

 

When testing an attack at a rate of about 6Mbps (all I could get out of my old Ubuntu box) with hping3 -1 -C 3 -K 3 --flood <target ip>, I saw an increase of about 10% CPU on a PA-3020. It was high enough PPS rate that it triggered a drop following the PA recommendation for a 3020's max ICMP PPS of 8000 but had an activate a little lower than 8000. As stated in my above post, it caused severe problems on the network I was originating the attack from.

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!