Blacknurse ICMP flooding

Unanswered Question
Nov 17th, 2016
User Badges:

Does anyone know what Cisco products are affected by Blacknurse ICMP flooding?

The only documents I can see from Cisco is https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc07227/?referring_site=s

ASA is the only product though if you read http://blacknurse.dk/ products including Cisco are been added daily.

I plan to apply on our ASR1002-X routers.......... icmp unreachable rate-limit 1 burst 1...for ICMP type 3

Do you think this would be a good idea or is not required, as Cisco have not listed my Router!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ROBERTO TACCON Thu, 11/17/2016 - 09:31
User Badges:

Please ntoe that if you have firewall feature enabled (ZBF) still be a problem.

For example check the Cisco ASA:

http://www.blacknurse.dk/testresults.txt

- When mitigating using:

icmp deny any unreachable outside
icmp deny any time outside

the reduction in load is less than 50% on packets towards the ASA outside IP, but it does not affect the load of packets towards hosts behind the ASA550. On 5515-X it did not prevent 100% CPU on 50k packets per second with type 3 ICMP packets.
ROBERTO TACCON Fri, 11/18/2016 - 02:35
User Badges:

please note also that


1)

the bug does not affect only ICMP type 3 code 3

http://www.blacknurse.dk/blacknurse.pdf


2)

http://www.blacknurse.dk/Gupta.txt

We would kindly like to inform you about some interesting results in our experiments with "unassigned" icmp-types

http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml

When flooding cisco asa's (a handfull older as well newer models) with "unassigned" icmp type=1, type=2, etc it seems that the asa is computing the "number of connections / sec" differently:
    
X "normal" ICMP's / sec => X connections / sec
    
BUT
    
X "unassigned" ICMP's / sec => one single connection !
    
in other words: DOS-flooding with "unassigned" types is INVISIBLE in the asa connection statistics ;-)

Actions

This Discussion