Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Blacknurse ICMP flooding

Does anyone know what Cisco products are affected by Blacknurse ICMP flooding?

The only documents I can see from Cisco is

ASA is the only product though if you read products including Cisco are been added daily.

I plan to apply on our ASR1002-X routers.......... icmp unreachable rate-limit 1 burst 1...for ICMP type 3

Do you think this would be a good idea or is not required, as Cisco have not listed my Router!

New Member

Please ntoe that if you have

Please ntoe that if you have firewall feature enabled (ZBF) still be a problem.

For example check the Cisco ASA:

- When mitigating using:

icmp deny any unreachable outside
icmp deny any time outside

the reduction in load is less than 50% on packets towards the ASA outside IP, but it does not affect the load of packets towards hosts behind the ASA550. On 5515-X it did not prevent 100% CPU on 50k packets per second with type 3 ICMP packets.
New Member

Thanks for this excellent

Thanks for this excellent information Roberto.

New Member

please note also that

please note also that


the bug does not affect only ICMP type 3 code 3


We would kindly like to inform you about some interesting results in our experiments with "unassigned" icmp-types

When flooding cisco asa's (a handfull older as well newer models) with "unassigned" icmp type=1, type=2, etc it seems that the asa is computing the "number of connections / sec" differently:
X "normal" ICMP's / sec => X connections / sec
X "unassigned" ICMP's / sec => one single connection !
in other words: DOS-flooding with "unassigned" types is INVISIBLE in the asa connection statistics ;-)