[Updated December 02, 2016]
This post has been updated following further testing and investigation of the BlackNurse issue. Our further investigation indicates that Zone Protection provides optimal mitigation coverage and we recommend that customers implement Zone Protection to mitigate the BlackNurse issue.
Customers who have previously followed our guidance on BlackNurse, should review the updated Impact and Recommendations section of this blog. We have modified our initial recommendations indicating that customers should now use Zone Protections to provide optimal coverage against BlackNurse.
===
On Thursday, Nov. 10, 2016, TDC Security Operations Center in Denmark published a report stating they had noticed several low-volume ICMP attacks in their customers’ networks. TDC named this type of attack BlackNurse.
The security of our customers is our top priority. We have conducted an investigation into this issue and to date have found that Palo Alto Networks Next-Generation Firewall customers may be affected in a specific scenario that contravenes best practices by exceeding the platform's maximum Connections Per Seconds (CPS) limits and no protections have been enabled on the device.
A traditional ICMP flood attack sends ICMP requests to the target in a large volume. BlackNurse, on the other hand, is an ICMP attack that sends a low volume of ICMP Type 3 (Destination Unreachable) Code 3 (Port Unreachable) requests to the target. BlackNurse is a form of Denial-of-Service (DoS) attack and the TDC report claims that it has the potential to disrupt the target organization’s operations.
Palo Alto Networks Next-Generation Firewalls may be impacted by the BlackNurse attack if the attack rate approaches the platform's maximum Connections Per Seconds (CPS) limits and no protections are enabled on the device.
Note: See Change Log section at the end of this blog for our prior impact statement.
For protection against BlackNurse, we recommend that customers implement ICMP Flood Protection, which is part of Zone Protection. Customers may also implement DoS Protection in cases where the attack is from a single source IP.
Note: All BlackNurse attacks larger than the platform's maximum Connections Per Seconds (CPS) limits, may result in unexpected performance issues. In such cases, “rate limiting” of the involved ICMP traffic has to take place before reaching our firewall.
A Zone Protection profile is enforced before security policy checks. This helps throttle packets once the threshold is reached and protects the firewall resources as well as resources being protected by the firewall.
Please follow the steps below from the page Zone Protection section in the PAN-OS 7.1; PAN-OS 7.0; PAN-OS 6.1; PAN-OS 6.0 Administrator’s Guides:
A DoS Protection profile may help mitigate against the attack more efficiently in cases where the attack is from a single source IP. The thresholds for DoS policy are typically lower since these thresholds are on a 'per IP' basis whereas the Zone Protection configuration threshold is an aggregate of all ingress traffic for the zone.
Note: Please do not use a DoS Protection profile on interfaces facing a high number of sources, such as the internet-facing interfaces.
To implement DoS Protection measures, please follow the below steps from the page Configure DoS Protection Against Flooding of New Sessions in the PAN-OS 7.1 Administrator’s Guide:
For more, please refer to the step-by-step instructions listed on the Configure DoS Protection Against Flooding of New Sessions page in the PAN-OS 7.1 Administrator’s Guide.
For customers using a version of PAN-OS prior to 6.1, please see the PAN-OS Administrator’s Guide for your organization’s software version listed on our Technical Documentation page and refer to the steps listed under the section ‘Threat Prevention’ > About Security Profiles > DoS Protection.
Note: DoS and Zone protection is included as part of PAN-OS and does not require any software subscriptions.
Should you have any questions or need assistance with implementing these recommendations, please don’t hesitate to contact our support team at support.paloaltonetworks.com.
Change Log:
2016-11-11 – Initial Blog Published.
2016-12-02 – Blog updated to include Zone Protection as the optimal protection against BlackNurse. DoS Protection section updated to note protection offered against Single Source attacks. Impact and Recommendations sections changed to reflect our new and updated guidance. The following text was removed from the Impact section:
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.