Firewalls snuffed by 'BlackNurse' Ping of Death attack

Destination unreachable plus port unreachable equals router unreachable

Updated A code artefact in a number of popular firewalls means they can be crashed by a mere crafted ping.

The low-rate “Ping of death” attack, dubbed BlackNurse, affects firewalls from Cisco, Zyxel, and possibly Palo Alto.

Since we don't imagine Switchzilla has started giving away the version of IOS running in its ASA firewalls, Vulture South suspects it arises from a popular open source library. Which means other vulnerable devices could be out there.

Unlike the old-fashioned ping-flood, the attack in question uses ICMP “Type 3, Code 3” (destination unreachable, port unreachable) packets.

In the normal course of events, a host would receive that packet in response to a message it had initiated – but of course, it's trivial to craft that packet and send it to a target.

In devices susceptible to BlackNurse, the operating system gets indigestion trying to process even a relatively low rate of these messages – in the original report from Denmark's TF-CSIRT, gigabit-capable routers could be borked by just 18 Mbps of BlackNurse traffic on their WAN interfaces.

The good news is that in most cases, the attack is trivial to block, by dropping ICMP traffic. For example, the TF-CSIRT report includes suitable Snort rules, while Palo Alto says users of PAN-OS-based firewalls can block all ICMP traffic, or write a more sophisticated BlackNurse-specific DoS filter.

Forensics company Netresec has more detail on BlackNurse here, and has test information here.

In some environments, a blanket ban on ICMP is problematic. As Cisco notes, losing ICMP MTU path discovery can upset IPSec and/or PPTP sessions. ®

Updated to add

A previous version of this story said BlackNurse impacted SonicWALL devices. The company has been in touch to say that was not correct and that subsequent testing proved SonicWALL firewalls are not vulnerable to BlackNurse.

Biting the hand that feeds IT © 1998–2017