On Thursday, November 10, 2016, TDC Security Operations Center in Denmark published a report stating they had noticed several low-volume ICMP attacks in their customers’ networks. TDC named this type of attack BlackNurse.
The security of our customers is our top priority. We have conducted an investigation into this issue and to date have found that Palo Alto Networks Next-Generation Firewall customers can only be affected in very specific, non-default scenarios that contravene best practices.
A traditional ICMP flood attack sends ICMP requests to the target in a large volume. BlackNurse, on the other hand, is an ICMP attack that sends a low volume of ICMP Type 3 (Destination Unreachable) Code 3 (Port Unreachable) requests to the target. BlackNurse is a form of Denial-of-Service (DoS) attack and the TDC report claims that it has the potential to disrupt the target organization’s operations.
1) Palo Alto Networks Next-Generation Firewalls drop ICMP requests by default, so unless you have explicitly allowed ICMP in a security policy, your organization is not affected and no action is required.
2) If you have explicitly allowed ICMP in a security policy and have implemented our best practices for flood protection, your organization is not affected and no action is required.
3) If you have explicitly allowed ICMP in a security policy and have not implemented our best practices for flood protection, your organization’s firewalls may experience higher CPU and memory usage, which may slow down the firewall’s response. Please refer to the best practices listed below.
For protection against BlackNurse, we recommend that customers implement the following best practices. Specifically, please follow the below steps from the page Configure DoS Protection Against Flooding of New Sessions in the PAN-OS 7.1 Administrator’s Guide:
- Configure a DoS Protection profile for flood protection. Because flood attacks can occur over multiple protocols, the recommended best practice is to activate protection for all flood types in the DoS Protection profile. However, to protect against BlackNurse, the following types of flood protection are required:
- ICMP Flood
- ICMPv6 Flood
- Configure a DoS protection policy rule that specifies the criteria for matching the incoming traffic.
- Commit the configuration.
For more, please refer to the step-by-step instructions listed on the Configure DoS Protection Against Flooding of New Sessions page in the PAN-OS 7.1 Administrator’s Guide.
For customers using a version of PAN-OS prior to 6.1, please see the PAN-OS Administrator’s Guide for your organization’s software version listed on our Technical Documentation page and refer to the steps listed under the section ‘Threat Prevention’ > About Security Profiles > DoS Protection.
Note that firewall DoS protection is included as part of PAN-OS and does not require any software subscriptions.
Should you have any questions or need assistance with implementing these best practices, please don’t hesitate to contact our support team at support.paloaltonetworks.com.
[Palo Alto Networks Research Center]