Skip to main content
kimahansen
kimahansen
New Member
November 14, 2016
Question

Fortinet / Fortigate ICMP 3/3 Blacknurse vulnerable?

  • November 14, 2016
  • 1 reply
  • 10434 views

Hello,

 

 

"Blacknurse is a low bandwidth ICMP attack that is capable of doing denial of service to well known firewalls.

 

Most ICMP attacks that we see are based on ICMP Type 8 Code 0 also called a ping flood attack.

 

BlackNurse is based on ICMP with Type 3 Code 3 packets. We know that when a user has allowed ICMP Type 3 Code 3 to outside interfaces, the BlackNurse attack becomes highly effective even at low bandwidth.

 

Low bandwidth is in this case around 15-18 Mbit/s. This is to achieve the volume of packets needed which is around 40 to 50K packets per second. It does not matter if you have a 1 Gbit/s Internet connection."

 

Anyone care to comment this? Any comments on how to mitigate correctly?

 

Source:

http://blacknurse.dk/

 

Brgs,

Kim

    1 reply

    Andras
    Andras
    New Member
    November 16, 2016

    Here's a custom IPS signature to mitigate the issue on FortiGate.

    kimahansen
    kimahansenAuthor
    New Member
    November 16, 2016

    I have seen this article, but since the IPS functionality is located very late in the packet flow ingress, I have a hard time believing that this will actually protect the firewall's CPU from getting overloaded?

     

    Can you confirm that this also protects the firewall and not only devices behind the firewall?

     

    Andras
    Andras
    New Member
    November 16, 2016

    The IPS defends the systems behind the FW. The DoS policy (ICMP flood) should be set to protect the firewall. The only limitation on FortiGate is that DOS Policy applies to all ICMP traffic, not just Blacknurse.

    For a more sophisticated solution you'll need the FortiDDOS.

    Terms & ConditionsAccessibility statement