Blacknurse ICMP DoS attack

Summary

BlackNurse is a Denial of Service attack consisting in flooding the target with ICMP Type 3 Code 3 packets. The latter type of packets generally consumes more CPU to be processed than the "traditional" ICMP packets used in classical ping-flood attacks (Type 8 Code 0). As such, Blacknurse aims at exhausting the target's CPU, rather than its bandwidth (so called "low-bandwidth attack").

description-logo Description

BlackNurse is a Denial of Service attack consisting in flooding the target with ICMP Type 3 Code 3 packets. The latter type of packets generally consumes more CPU to be processed than the "traditional" ICMP packets used in classical ping-flood attacks (Type 8 Code 0). As such, Blacknurse aims at exhausting the target's CPU, rather than its bandwidth (so called "low-bandwidth attack").

Impact Detail

NOT RENDERED BY THE CMS

Affected Products

The attack does not rely on a software bug, but on the normal functioning of the ICMP stack. Therefore, any networking device is susceptible to be impacted by a flood of Blacknurse packets.

Solutions

Configuring a DoS rate limiter for ICMP in FortiOS with the default rate effectively disables the attack, should the target be the FortiGate itself, or any device it protects. This can for instance be done in CLI mode, with the following commands: config firewall DoS-policy edit 0 set status enable set interface "wan1" set srcaddr "all" set dstaddr "all" set service "ALL" config anomaly edit icmp_flood set action block next end next end Or in the GUI, via the menu Policy&Objects -> IPv4 DoS Policy -> Create New. Then choose the interface, src address, dst address, service and set the ICMP_FLOOD button to "Block". FortiDDoS will also protect itself or devices sitting behind it, automatically (see https://blog.fortinet.com/2016/11/14/black-nurse-ddos-attack-power-of-granular-packet-inspection-of-fortiddos-with-unpredictable-ddos-attacks for more details).