Firewalls snuffed by 'BlackNurse' Ping of Death attack

Destination unreachable plus port unreachable equals router unreachable


Updated A code artefact in a number of popular firewalls means they can be crashed by a mere crafted ping.

The low-rate “Ping of death” attack, dubbed BlackNurse, affects firewalls from Cisco, Zyxel, and possibly Palo Alto.

Since we don't imagine Switchzilla has started giving away the version of IOS running in its ASA firewalls, Vulture South suspects it arises from a popular open source library. Which means other vulnerable devices could be out there.

Unlike the old-fashioned ping-flood, the attack in question uses ICMP “Type 3, Code 3” (destination unreachable, port unreachable) packets.

In the normal course of events, a host would receive that packet in response to a message it had initiated – but of course, it's trivial to craft that packet and send it to a target.

In devices susceptible to BlackNurse, the operating system gets indigestion trying to process even a relatively low rate of these messages – in the original report from Denmark's TF-CSIRT, gigabit-capable routers could be borked by just 18 Mbps of BlackNurse traffic on their WAN interfaces.

The good news is that in most cases, the attack is trivial to block, by dropping ICMP traffic. For example, the TF-CSIRT report includes suitable Snort rules, while Palo Alto says users of PAN-OS-based firewalls can block all ICMP traffic, or write a more sophisticated BlackNurse-specific DoS filter.

Forensics company Netresec has more detail on BlackNurse here, and has test information here.

In some environments, a blanket ban on ICMP is problematic. As Cisco notes, losing ICMP MTU path discovery can upset IPSec and/or PPTP sessions. ®

Updated to add

A previous version of this story said BlackNurse impacted SonicWALL devices. The company has been in touch to say that was not correct and that subsequent testing proved SonicWALL firewalls are not vulnerable to BlackNurse.

Similar topics

Narrower topics


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Datacenter networks: You'll manage them from the cloud, eventually, claims Cisco
    Nexus portfolio undergoes cloudy Software-as-a-Service revamp

    Cisco's Nexus Cloud will eventually allow customers to manage their datacenter networks entirely from the cloud, says the networking giant.

    The company unveiled the latest addition to its datacenter-focused Nexus portfolio at Cisco Live this week, where the product set got a software-as-a-service (SaaS) revamp.

    "It's targeted at network operations teams that need to manage, or want to manage, their Nexus infrastructure as well as their public-cloud network infrastructure in one spot," Cisco's Thomas Scheibe – VP product management, cloud networking for Nexus & ACI product lines – told The Register.

    Continue reading
  • Cisco execs pledge simpler, more integrated networks
    Is this the end of Switchzilla's dashboard creep?

    Cisco Live In his first in-person Cisco Live keynote in two years, CEO Chuck Robbins didn't make any lofty claims about how AI is taking over the network or how the company's latest products would turn networking on its head. Instead, the presentation was all about working with customers to make their lives easier.

    "We need to simplify the things that we do with you. If I think back to eight or ten years ago, I think we've made progress, but we still have more to do," he said, promising to address customers' biggest complaints with the networking giant's various platforms.

    "Everything we find that is inhibiting your experience from being the best that it can be, we're going to tackle," he declared, appealing to customers to share their pain points at the show.

    Continue reading

Biting the hand that feeds IT © 1998–2022