Reset Search
 

 

Article

ACL to Protect againt BlackNurse Virus

« Go Back

Information

 
TitleACL to Protect againt BlackNurse Virus
Symptoms
  • BlackNurse is a form of ICMP flood attack which may cause denial of service.
  • A properly configured next generation firewall is protected against BlackNurse attack.
Environment
  • NI 5.6.00G
Cause
Blacknurse is a low bandwidth ICMP attack that is capable of doing denial of service to well known firewalls.
Most ICMP attacks that we see are based on ICMP Type 8 Code 0 also called a ping flood attack.
The attack impact on firewall is typically high CPU loads.
BlackNurse is based on ICMP with Type 3 Code 3 packets.
We know that when a user has allowed ICMP Type 3 Code 3 to outside interfaces, the BlackNurse attack becomes highly effective even at low bandwidth.
Resolution
BlackNurse is based on ICMP with Type 3 Code 3 packets.

Type 3 Code 3 packets are "port-unreachable " in ACL.
 
access-list 101 deny icmp any any port-unreachable
int ve 100
ip access-group 101 in
ip access-group 101 out

In case of an ongoing attack and if the firewall is not properly configured, there will be a spike in CPU load and users from the LAN side may no longer be able to send/receive traffic to/from the Internet.

For best protection, it is recommended that user enable ICMP Flood Protection in Firewall Settings.
Additional notes
Apply ICMP Protection on the firewall.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255