https://community.cisco.com/t5/network-security/prevent-blacknurse-ddos-attacked-on-asa/m-p/2990887#M155516 <P>Hi Jens,</P> <P></P> <P>This seems to be affecting all ASAs, we ran those tests yesterday and a 5545 increased to 42% CPU and a 5585 ssp20 took a 9% cpu-hit from just one computer with the same test. The fewer cores your ASA has the worse the impact seems to be.</P> <P></P> <P>If you are under attack I think your best bet is to filter it out further out in the network. I.e. configure a PACL on a switch between your ISP and your ASA that blocks icmp unreachable before it hits your ASA, that is until the original issue has been solved properly.</P> Wed, 16 Nov 2016 13:23:15 GMT CSvensson87 2016-11-16T13:23:15Z https://community.cisco.com/t5/network-security/prevent-blacknurse-ddos-attacked-on-asa/m-p/2990884#M155513 <P></P> <P>prevent BlackNurse&nbsp;DoS attack on ASA. What commands should be configured to prevent it etc. Thanks in advance for any help</P> Tue, 12 Mar 2019 08:32:22 GMT https://community.cisco.com/t5/network-security/prevent-blacknurse-ddos-attacked-on-asa/m-p/2990884#M155513 H122610517 2019-03-12T08:32:22Z https://community.cisco.com/t5/network-security/prevent-blacknurse-ddos-attacked-on-asa/m-p/2990885#M155514 <P>Hi,</P> <P></P> <P>You can read more about it on the links below, there are some suggestions. Please be aware that I have not yet tested it myself on any ASA that is in production so I don't know how well the suggestions actually work. </P> <P></P> <P>http://blacknurse.dk</P> <P>http://soc.tdc.dk/blacknurse/blacknurse.pdf</P> <P></P> <P>"Mitigation<BR />Different kinds of mitigations can be implemented to minimise the impact of the attack. On firewalls and other kinds of equipment a list of trusted sources for which ICMP is allowed could be configured. Disabling ICMP Type 3 Code 3 on the WAN interface can mitigate the attackquite easily. This is the best mitigation weknow of so far."</P> <P></P> Tue, 15 Nov 2016 10:16:43 GMT https://community.cisco.com/t5/network-security/prevent-blacknurse-ddos-attacked-on-asa/m-p/2990885#M155514 CSvensson87 2016-11-15T10:16:43Z https://community.cisco.com/t5/network-security/prevent-blacknurse-ddos-attacked-on-asa/m-p/2990886#M155515 <P>Hi</P> <P>We have testet it against a ASA5516 firewall with the linux command hping3 -1 -C 3 -K 3 -i u20.</P> <P>We have the following config as stated in the suggestions.</P> <P><EM>icmp unreachable rate-limit 1 burst-size 1</EM><BR /><EM>icmp deny any time-exceeded WAN</EM><BR /><EM>icmp deny any unreachable WAN</EM></P> <P></P> <P>The firewall reaches 80%-90% CPU and max 20.000 new connections pr second and is practically unreachable.</P> <P>This is on version 9.6(2)1</P> <P></P> <P>Not sure which versions the workaround works on, but is seems to not work on 9.6(2)1 (or I might be missing something)</P> <P></P> <P></P> <P></P> <P></P> <P></P> Wed, 16 Nov 2016 12:55:10 GMT https://community.cisco.com/t5/network-security/prevent-blacknurse-ddos-attacked-on-asa/m-p/2990886#M155515 Sentia NOC 2016-11-16T12:55:10Z https://community.cisco.com/t5/network-security/prevent-blacknurse-ddos-attacked-on-asa/m-p/2990887#M155516 <P>Hi Jens,</P> <P></P> <P>This seems to be affecting all ASAs, we ran those tests yesterday and a 5545 increased to 42% CPU and a 5585 ssp20 took a 9% cpu-hit from just one computer with the same test. The fewer cores your ASA has the worse the impact seems to be.</P> <P></P> <P>If you are under attack I think your best bet is to filter it out further out in the network. I.e. configure a PACL on a switch between your ISP and your ASA that blocks icmp unreachable before it hits your ASA, that is until the original issue has been solved properly.</P> Wed, 16 Nov 2016 13:23:15 GMT https://community.cisco.com/t5/network-security/prevent-blacknurse-ddos-attacked-on-asa/m-p/2990887#M155516 CSvensson87 2016-11-16T13:23:15Z https://community.cisco.com/t5/network-security/prevent-blacknurse-ddos-attacked-on-asa/m-p/2990888#M155517 <P>Hi CSvensson87</P> <P>Good to hear some results from others as well.&nbsp; We are not under attack and our egde routers are handling the problem right now as you also state.</P> <P>We will await Cisco...</P> <P>Thank you for your feedback.</P> Wed, 16 Nov 2016 13:39:42 GMT https://community.cisco.com/t5/network-security/prevent-blacknurse-ddos-attacked-on-asa/m-p/2990888#M155517 Sentia NOC 2016-11-16T13:39:42Z https://community.cisco.com/t5/network-security/prevent-blacknurse-ddos-attacked-on-asa/m-p/2990889#M155518 <P>check also</P> <P>https://supportforums.cisco.com/discussion/13165791/blacknurse-icmp-flooding</P> Fri, 18 Nov 2016 22:24:28 GMT https://community.cisco.com/t5/network-security/prevent-blacknurse-ddos-attacked-on-asa/m-p/2990889#M155518 ROBERTO TACCON 2016-11-18T22:24:28Z