* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/)
* UPDATED: Note to Customer...

# UPDATED: Note to Customers Regarding BlackNurse Report

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2016%2F11%2Fnote-customers-regarding-blacknurse-report%2F)  
[](https://twitter.com/share?text=UPDATED%3A+Note+to+Customers+Regarding+BlackNurse+Report&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2016%2F11%2Fnote-customers-regarding-blacknurse-report%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2016%2F11%2Fnote-customers-regarding-blacknurse-report%2F&title=UPDATED%3A+Note+to+Customers+Regarding+BlackNurse+Report&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2016/11/note-customers-regarding-blacknurse-report/&ts=markdown)  
\[\](mailto:?subject=UPDATED: Note to Customers Regarding BlackNurse Report)  
Link copied  
By [Navneet Singh](https://www.paloaltonetworks.com/blog/author/navneet-singh/?ts=markdown "Posts by Navneet Singh")  
Nov 11, 2016  
5 minutes  
[Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown)  
[BlackNurse](https://www.paloaltonetworks.com/blog/tag/blacknurse/?ts=markdown)

**\[Updated December 02, 2016\]**

This post has been updated following further testing and investigation of the BlackNurse issue. Our further investigation indicates that Zone Protection provides optimal mitigation coverage and we recommend that customers implement Zone Protection to mitigate the BlackNurse issue.

Customers who have previously followed our guidance on BlackNurse, should review the updated Impact and Recommendations section of this blog. We have modified our initial recommendations indicating that customers should now use Zone Protections to provide optimal coverage against BlackNurse.

===

On Thursday, Nov. 10, 2016, TDC Security Operations Center in Denmark [published a report](http://soc.tdc.dk/blacknurse/blacknurse.pdf) stating they had noticed several low-volume ICMP attacks in their customers' networks. TDC named this type of attack BlackNurse.

The security of our customers is our top priority. We have conducted an investigation into this issue and to date have found that Palo Alto Networks Next-Generation Firewall customers may be affected in a specific scenario that contravenes best practices by exceeding the platform's maximum Connections Per Seconds (CPS) limits and no protections have been enabled on the device.

## Attack details

A traditional [ICMP flood attack](https://www.sans.org/reading-room/whitepapers/threats/icmp-attacks-illustrated-477) sends ICMP requests to the target in a large volume. BlackNurse, on the other hand, is an ICMP attack that sends a low volume of [ICMP Type 3 (Destination Unreachable) Code 3](http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml#icmp-parameters-codes-3) (Port Unreachable) requests to the target. BlackNurse is a form of Denial-of-Service (DoS) attack and the TDC report claims that it has the potential to disrupt the target organization's operations.

## Impact

Palo Alto Networks Next-Generation Firewalls may be impacted by the BlackNurse attack if the attack rate approaches the [platform's maximum Connections Per Seconds](https://www.paloaltonetworks.com/products/product-selection?ts=markdown) (CPS) limits and no protections are enabled on the device.

**Note**: See Change Log section at the end of this blog for our prior impact statement.

## Recommendations:

For protection against BlackNurse, we recommend that customers implement ICMP Flood Protection, which is part of Zone Protection. Customers may also implement DoS Protection in cases where the attack is from a single source IP.

**Note:** All BlackNurse attacks larger than the [platform's maximum Connections Per Seconds](https://www.paloaltonetworks.com/products/product-selection?ts=markdown) (CPS) limits, may result in unexpected performance issues. In such cases, "rate limiting" of the involved ICMP traffic has to take place before reaching our firewall.

### Zone Protection

A Zone Protection profile is enforced before security policy checks. This helps throttle packets once the threshold is reached and protects the firewall resources as well as resources being protected by the firewall.

Please follow the steps below from the page Zone Protection section in the [PAN-OS 7.1](https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/network/network-network-profiles-zone-protection?ts=markdown); [PAN-OS 7.0](https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/technical-documentation/pan-os-70/PAN-OS-7.0-web-interface-ref.pdf?ts=markdown); [PAN-OS 6.1](https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/policy/zone-protection-profiles.pdf?ts=markdown); [PAN-OS 6.0](https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/60/pan-os/pan-os/section_8.pdf?ts=markdown) Administrator's Guides:

* Enable ***Zone Protection***with ICMP Flood Protection.

* Apply the ***maximum threshold*** (Connections/second) values per the Knowledge Base Article [Protection Against BlackNurse Attacks.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/11/Protection-Against-BlackNurse-Attacks-LIVEcommunity-130848.pdf?ts=markdown)

* If no ICMP error messages are expected in your environment: Enable Zone Protection's "**Discard ICMP embedded with error message** " can be used. This option is configured under the Zone Protection Profile -\> Packet Based Protection -\> ICMP Drop -\> Discard ICMP embedded with error message.  
  **Note** : This setting will drop ALL ICMP packets with an error message under ALL conditions. If your environment uses ICMP error messages for legitimate purposes, you should not enable this option on the ingress zone

* Commit the configuration.

### DoS Protection

A DoS Protection profile may help mitigate against the attack more efficiently in cases where the attack is from a single source IP. The thresholds for DoS policy are typically lower since these thresholds are on a 'per IP' basis whereas the Zone Protection configuration threshold is an aggregate of all ingress traffic for the zone.

**Note:** Please do not use a DoS Protection profile on interfaces facing a high number of sources, such as the internet-facing interfaces.

To implement DoS Protection measures, please follow the below steps from the page [Configure DoS Protection Against Flooding of New Sessions](https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/threat-prevention/configure-dos-protection-against-flooding-of-new-sessions#51711?ts=markdown) in the PAN-OS 7.1 Administrator's Guide:

* Configure a DoS Protection profile for flood protection. Because flood attacks can occur over multiple protocols, the recommended best practice is to activate protection for all flood types in the DoS Protection profile. However, to protect against BlackNurse, the following types of flood protection are required:
  * ICMP Flood
  * ICMPv6 Flood
* Commit the configuration.

For more, please refer to the step-by-step instructions listed on the [Configure DoS Protection Against Flooding of New Sessions](https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/threat-prevention/configure-dos-protection-against-flooding-of-new-sessions#51711?ts=markdown) page in the PAN-OS 7.1 Administrator's Guide.

For customers using a version of PAN-OS prior to 6.1, please see the PAN-OS Administrator's Guide for your organization's software version listed on our [Technical Documentation](https://www.paloaltonetworks.com/documentation?ts=markdown) page and refer to the steps listed under the section 'Threat Prevention' \> About Security Profiles \> DoS Protection.

**Note**: DoS and Zone protection is included as part of PAN-OS and does not require any software subscriptions.

Should you have any questions or need assistance with implementing these recommendations, please don't hesitate to contact our support team at [support.paloaltonetworks.com](https://support.paloaltonetworks.com/).

**Change Log:**

2016-11-11 -- Initial Blog Published.

2016-12-02 -- Blog updated to include Zone Protection as the optimal protection against BlackNurse. DoS Protection section updated to note protection offered against Single Source attacks. Impact and Recommendations sections changed to reflect our new and updated guidance. The following text was removed from the Impact section:

1. *Palo Alto Networks Next-Generation Firewalls drop ICMP requests by default, so unless you have explicitly allowed ICMP in a security policy, your organization is not affected and no action is required.*
2. *If you have explicitly allowed ICMP in a security policy and have implemented our best practices for flood protection, your organization is not affected and no action is required.*
3. *If you have explicitly allowed ICMP in a security policy and have not implemented our best practices for flood protection, your organization's firewalls may experience higher CPU and memory usage, which may slow down the firewall's response. Please refer to the best practices listed below.*

*** ** * ** ***

## Related Blogs

### [Cloud NGFW](https://www.paloaltonetworks.com/blog/network-security/category/cloud-ngfw/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown)

[#### Modernizing Security on AWS: From Firewall Ops to Security Intent](https://www.paloaltonetworks.com/blog/network-security/modernizing-security-on-aws-from-firewall-ops-to-security-intent/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Strata Network Security Platform](https://www.paloaltonetworks.com/blog/network-security/category/strata-network-security-platform/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### Powering the AI Enterprise with New Software Firewall Capabilities](https://www.paloaltonetworks.com/blog/network-security/powering-the-ai-enterprise-with-new-software-firewall-capabilities/)

### [AI Application Security](https://www.paloaltonetworks.com/blog/network-security/category/ai-application-security/?ts=markdown), [AI Governance](https://www.paloaltonetworks.com/blog/category/ai-governance/?ts=markdown), [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Palo Alto Networks Announces Support for NVIDIA Enterprise AI Factory](https://www.paloaltonetworks.com/blog/2026/01/support-nvidia-enterprise-ai-factory/)

### [5G Security](https://www.paloaltonetworks.com/blog/network-security/category/5g-security/?ts=markdown), [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [IoT Security](https://www.paloaltonetworks.com/blog/network-security/category/iot-security/?ts=markdown)

[#### Protecting the Utility Grid's Digital Ecosystem, from Core to Edge to AI](https://www.paloaltonetworks.com/blog/network-security/protecting-the-utility-grid-digital-ecosystem-from-core-to-edge-to-ai/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Endpoint](https://www.paloaltonetworks.com/blog/category/endpoint-2/?ts=markdown), [Event](https://www.paloaltonetworks.com/blog/category/event/?ts=markdown), [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Non categorizzato](https://www.paloaltonetworks.com/blog/category/non-categorizzato/?ts=markdown)

[#### See How We're Fortifying Cloud and AI at AWS re:Inforce 2025](https://www.paloaltonetworks.com/blog/2025/06/fortifying-cloud-ai-aws-reinforce/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/category/next-generation-firewalls/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Securing AI Agent Innovation with Prisma AIRS MCP Server](https://www.paloaltonetworks.com/blog/2025/06/securing-ai-agent-innovation-prisma-airs-mcp-server/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language