Thursday, November 17, 2016

Mitigating the BlackNurse exploit on Cisco and Fortigate equipment

 

"Blacknurse is a low bandwidth ICMP attack that is capable of doing denial of service to well known firewalls.  Most ICMP attacks that we see are based on ICMP Type 8 Code 0 also called a ping flood attack. 

BlackNurse is based on ICMP with Type 3 Code 3 packets. We know that when a user has allowed ICMP Type 3 Code 3 to outside interfaces, the BlackNurse attack becomes highly effective even at low bandwidth. 

Low bandwidth is in this case around 15-18 Mbit/s. This is to achieve the volume of packets needed which is around 40 to 50K packets per second. It does not matter if you have a 1 Gbit/s Internet connection." – as per http://blacknurse.dk/ 

Securing Fortigate

Andras the Techie created an Fortigate IPS signature to detect and drop this traffic:

config ips custom
    edit ICMP.Blacknurse
      set signature "F-SBID( --name \"ICMP.Blacknurse\"; --protocol icmp; --icmp_type 3; --icmp_code 3; --rate 250,1;)"
        set severity medium
        set location server
        set application Other
        set action block
        set status enable
end

His blog post also contains instructions on how to apply it to you policies.

Securing Cisco

Best is of course to filter this traffic upstream, before it hits your firewall.  This is what you’ll need to do on an Cisco IOS router:

config t
ip icmp rate-limit unreachable 100 1000
do copy run start
end

For Cisco IOS-XR you will need to do this:

icmp ipv4 rate-limit unreachable 2000
commit