Attackers Using ICMP Ping Floods to Take Down Enterprise Firewalls

According to researchers from Danish telecom firm TDC, attackers are using ICMP ping floods to perform Denial of Service (DoS) attacks which are capable of taking down enterprise firewalls.

In contrast to standard DDoS attacks, the attacker does not need to use an army of hacked devices to pull off the attack. It can be performed using a single laptop computer. Further, the mitigations put in place to counter traditional DDoS attacks – provisioning extra bandwidth – are ineffective against this type of attack.

The technique, termed BlackNurse, is an Internet Control Message Protocol (ICMP) attack using type 3 (destination unreachable) code 3 (port unreachable) packets. Attacks of 40K to 50K packets per second with a traffic speed of around 18 Mbit per second are all that is required to conduct the attack. It is therefore possible to perform such an attack using a single laptop computer.

Attacks use ICMP Type 8 Code 0 packets which consume a lot of CPU resources and overwhelm the firewall. According to TDC’s Security Operations Center, “When an attack is ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops.”

TDC has confirmed that Cisco Systems’ Adaptive Security Appliance firewalls are susceptible to these types of attack when they are in their default configuration i.e. when they are configured to allow ICMP Type 3 messages. Other firewalls are also susceptible if they have not been configured correctly or if certain security protections have been turned off. TDC has confirmed that certain SonicWall, Zyxel Communications, and Palo Alto Networks next generation firewalls could potentially be taken down with this type of attack.

The researchers say the “Impact can be high for those that allow ICMP to the firewall’s outside interface, and they could be easy targets for the BlackNurse attack as we have seen in TDC’s network. Having high bandwidth is no guarantee that this DoS/DDoS attack will not work.”

TDC says “Disabling ICMP Type 3 Code 3 on the WAN interface can mitigate the attack quite easily.” At present that is the best option for mitigating this type of attack.

Users of smaller Cisco ASA firewalls are particularly vulnerable to this type of attack, although TDC says networks with multi-core CPU versions appear to be fine and IPtables-based firewalls are not affected.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of