PSIRT Advisory

Blacknurse ICMP DoS attack

Summary

BlackNurse is a Denial of Service attack consisting in flooding the target with ICMP Type 3 Code 3 packets. The latter type of packets generally consumes more CPU to be processed than the "traditional" ICMP packets used in classical ping-flood attacks (Type 8 Code 0). As such, Blacknurse aims at exhausting the target's CPU, rather than its bandwidth (so called "low-bandwidth attack").

Description

BlackNurse is a Denial of Service attack consisting in flooding the target with ICMP Type 3 Code 3 packets. The latter type of packets generally consumes more CPU to be processed than the "traditional" ICMP packets used in classical ping-flood attacks (Type 8 Code 0). As such, Blacknurse aims at exhausting the target's CPU, rather than its bandwidth (so called "low-bandwidth attack").

Impact

Denial of service

Affected Products

The attack does not rely on a software bug, but on the normal functioning of the ICMP stack. Therefore, any networking device is susceptible to be impacted by a flood of Blacknurse packets.

Solutions

Configuring a DoS rate limiter for ICMP in FortiOS with the default rate effectively disables the attack, should the target be the FortiGate itself, or any device it protects.

This can for instance be done in CLI mode, with the following commands:

config firewall DoS-policy
edit 0
set status enable
set interface "wan1"
set srcaddr "all"
set dstaddr "all"
set service "ALL"
config anomaly
edit icmp_flood
set status enable
set action block
next
end
next
end

Or in the GUI, via the menu Policy&Objects -> IPv4 DoS Policy -> Create New. Then choose the interface, src address, dst address, service and set the ICMP_FLOOD button to "Block".

FortiDDoS will also protect itself or devices sitting behind it, automatically (see https://blog.fortinet.com/2016/11/14/black-nurse-ddos-attack-power-of-granular-packet-inspection-of-fortiddos-with-unpredictable-ddos-attacks for more details).