This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

BlackNurse Denial of Service Attack

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

BlackNurse Denial of Service Attack

Dulle
L2 Linker

‎11-10-2016 11:02 PM

http://www.netresec.com/?page=Blog&month=2016-11&post=BlackNurse-Denial-of-Service-Attack

Has anyone here tested the effect of this on any PAN-devices ?

http://blacknurse.dk says:
LIST OF REPORTED AFFECTED PRODUCTS :
Cisco ASA 5515, 5525 (default settings)
Cisco ASA 5550 (Legacy) and 5515-X (latest generation)
SonicWall
Some unverified Palo Alto

Can't find any more info on what PANs

3 people had this problem.
0 Likes Likes
4 REPLIES 4

paul.stinson
L1 Bithead

‎11-13-2016 02:46 PM

Tested here on internal interface just with Anti-spoofing and no Flood protections.

It would be nice to test in time with our lab on an interface that has the icmp flood protection options on.

 

Full dataplane shutdown after about 30secs on a 5050

 

Had to reboot firewall as well to recover as dataplane restart also would not fix.

 

case logged with Palo about mitigation or code release steps.

 

 

0 Likes Likes

spiromruen
L4 Transporter

‎11-13-2016 04:50 PM

Note to Customers Regarding BlackNurse Report

 

http://researchcenter.paloaltonetworks.com/2016/11/note-customers-regarding-blacknurse-report/

0 Likes Likes

rlowe_mfnsec
L0 Member

‎11-16-2016 10:06 AM

I'm still trying to figure out how this attack is possible if the PaloAlto doesn't have a session associated with the attack traffic. In order for the PA to allow ICMP Type3, Code3, it would have to be associated with an Echo-Request in order to build a session. if there is no session, the PA should silent drop the traffic.

Am I correct or is there something I am missing? 

0 Likes Likes

bspilde
L4 Transporter
In response to rlowe_mfnsec

‎12-06-2016 10:43 AM

https://live.paloaltonetworks.com/t5/General-Topics/BlackNurse-Denial-of-Service-Attack/m-p/125760/h...

 

When testing an attack at a rate of about 6Mbps (all I could get out of my old Ubuntu box) with hping3 -1 -C 3 -K 3 --flood <target ip>, I saw an increase of about 10% CPU on a PA-3020. It was high enough PPS rate that it triggered a drop following the PA recommendation for a 3020's max ICMP PPS of 8000 but had an activate a little lower than 8000. As stated in my above post, it caused severe problems on the network I was originating the attack from.

 

 

0 Likes Likes
  • 3979 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks