Some firewalls vulnerable to BlackNurse DDoS attack, says report

CISOs often worry about high volume distributed denial of service attacks (DDoS) using Webcams and other consumer Internet-connected devices to stall business operations. However the security operations centre of TDC Group, Denmark’s main telecom provider, has cautioned some firewalls can be overwhelmed by  a new variant of  an Internet Control Message Protocol (ICMP) attack.

In a paper issued last week TDC Group’s security team said the technique, which they dubbed ‘BlackNurse’, use type 3(destination unreachable)  code 3 (port unreachable) packets to launch an attack of 40 to 50K packets per second with  a traffic speed of 15-18 Mbit per second. This is different — and slower — than a traditional ICMP ping flood attack. But, the report says, it is still effective in overwhelming CPUs on some firewalls trying to process ICMP errors.

“Based on our research, this vulnerability or misconfiguration of some firewalls is easy to misuse,” says the report. “Impact can be high for those that allow ICMP to the firewall’s outside interface, and they could be easy targets for the BlackNurse attack as we have seen in TDC’s network. Having high bandwidth is no guarantee that this DoS/DDoS attack will not work. Many firewall implementations handle ICMP in different ways, and different vendors can be subject to attacks. Distributed attacks from larger botnets can be a major problem, because botnets which are located on low bandwidth uplinks can come into play.”

The TDC report says some models of Cisco Systems’ ASA firewalls are vulnerable. Sweden’s Netresec AB, a network forensics company which helped in the TDC research, said in a blog that firewalls from Palo Alto Networks could also be affected unless ICMP Flood DoS protection is enabled, as well as firewalls from SonicWall (if misconfigured) and from Zyxel.

UPDATE: After this story was published SonicWall issued a statement saying the Netresec report is incorrect. The company says it worked with TDC in September on this issue and tests show that with normal ICMP flood protection on the SonicWall firewall is not vulnerable.

TDC security researchers have created a SNORT rule for intrusion detection/prevention devices in their report to detect the attack, although the default timing may have to be adjusted to what is normal for each organization’s firewall.

Note that while TDC researchers have seen an increase in this type of attack, Johannes Ullrich, head of research at the SANS Institute said in a post that “this is not a big deal.” Cisco doesn’t think this is a security issue, he pointed out, and there is no CVE (common vulnerabilities and exposures) number issued. Users of smaller Cisco ASA firewalls are vulnerable, but networks with newer and/or multi-core CPU versions “appear to be fine.” IPtables-based firewalls are not affected.

Still, infosec and network teams should monitor incoming ICMP unreachables, Ullrich says.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now