"Blacknurse is a low bandwidth ICMP attack that is capable of doing denial of service to well known firewalls. Most ICMP attacks that we see are based on ICMP Type 8 Code 0 also called a ping flood attack.
BlackNurse is based on ICMP with Type 3 Code 3 packets. We know that when a user has allowed ICMP Type 3 Code 3 to outside interfaces, the BlackNurse attack becomes highly effective even at low bandwidth.
Low bandwidth is in this case around 15-18 Mbit/s. This is to achieve the volume of packets needed which is around 40 to 50K packets per second. It does not matter if you have a 1 Gbit/s Internet connection." – as per http://blacknurse.dk/
Andras the Techie created an Fortigate IPS signature to detect and drop this traffic:
config ips custom
set signature "F-SBID( --name \"ICMP.Blacknurse\"; --protocol icmp; --icmp_type 3; --icmp_code 3; --rate 250,1;)"
set severity medium
set location server
set application Other
set action block
set status enable
His blog post also contains instructions on how to apply it to you policies.
Best is of course to filter this traffic upstream, before it hits your firewall. This is what you’ll need to do on an Cisco IOS router:
ip icmp rate-limit unreachable 100 1000
do copy run start
For Cisco IOS-XR you will need to do this:
icmp ipv4 rate-limit unreachable 2000
Post a Comment