Has anyone here tested the effect of this on any PAN-devices ?
LIST OF REPORTED AFFECTED PRODUCTS :
Cisco ASA 5515, 5525 (default settings)
Cisco ASA 5550 (Legacy) and 5515-X (latest generation)
Some unverified Palo Alto
Can't find any more info on what PANs
Tested here on internal interface just with Anti-spoofing and no Flood protections.
It would be nice to test in time with our lab on an interface that has the icmp flood protection options on.
Full dataplane shutdown after about 30secs on a 5050
Had to reboot firewall as well to recover as dataplane restart also would not fix.
case logged with Palo about mitigation or code release steps.
Note to Customers Regarding BlackNurse Report
I'm still trying to figure out how this attack is possible if the PaloAlto doesn't have a session associated with the attack traffic. In order for the PA to allow ICMP Type3, Code3, it would have to be associated with an Echo-Request in order to build a session. if there is no session, the PA should silent drop the traffic.
Am I correct or is there something I am missing?
When testing an attack at a rate of about 6Mbps (all I could get out of my old Ubuntu box) with hping3 -1 -C 3 -K 3 --flood <target ip>, I saw an increase of about 10% CPU on a PA-3020. It was high enough PPS rate that it triggered a drop following the PA recommendation for a 3020's max ICMP PPS of 8000 but had an activate a little lower than 8000. As stated in my above post, it caused severe problems on the network I was originating the attack from.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!