Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7083
Views
0
Helpful
5
Replies

prevent BlackNurse DDOS attacked on ASA

H122610517
Community Member

‎11-14-2016 09:27 PM - edited ‎03-12-2019 01:32 AM

prevent BlackNurse DoS attack on ASA. What commands should be configured to prevent it etc. Thanks in advance for any help

11 people had this problem
Labels:
0 Helpful
5 Replies 5

CSvensson87
Level 1
Level 1

‎11-15-2016 02:16 AM

Hi,

You can read more about it on the links below, there are some suggestions. Please be aware that I have not yet tested it myself on any ASA that is in production so I don't know how well the suggestions actually work.

http://blacknurse.dk

http://soc.tdc.dk/blacknurse/blacknurse.pdf

"Mitigation
Different kinds of mitigations can be implemented to minimise the impact of the attack. On firewalls and other kinds of equipment a list of trusted sources for which ICMP is allowed could be configured. Disabling ICMP Type 3 Code 3 on the WAN interface can mitigate the attackquite easily. This is the best mitigation weknow of so far."

0 Helpful

ROBERTO TACCON
Level 4
Level 4
In response to CSvensson87

‎11-18-2016 02:24 PM

check also

https://supportforums.cisco.com/discussion/13165791/blacknurse-icmp-flooding

0 Helpful

Sentia NOC
Level 1
Level 1

‎11-16-2016 04:55 AM

Hi

We have testet it against a ASA5516 firewall with the linux command hping3 -1 -C 3 -K 3 -i u20.

We have the following config as stated in the suggestions.

icmp unreachable rate-limit 1 burst-size 1
icmp deny any time-exceeded WAN
icmp deny any unreachable WAN

The firewall reaches 80%-90% CPU and max 20.000 new connections pr second and is practically unreachable.

This is on version 9.6(2)1

Not sure which versions the workaround works on, but is seems to not work on 9.6(2)1 (or I might be missing something)

0 Helpful

CSvensson87
Level 1
Level 1
In response to Sentia NOC

‎11-16-2016 05:23 AM

Hi Jens,

This seems to be affecting all ASAs, we ran those tests yesterday and a 5545 increased to 42% CPU and a 5585 ssp20 took a 9% cpu-hit from just one computer with the same test. The fewer cores your ASA has the worse the impact seems to be.

If you are under attack I think your best bet is to filter it out further out in the network. I.e. configure a PACL on a switch between your ISP and your ASA that blocks icmp unreachable before it hits your ASA, that is until the original issue has been solved properly.

0 Helpful

Sentia NOC
Level 1
Level 1
In response to CSvensson87

‎11-16-2016 05:39 AM

Hi CSvensson87

Good to hear some results from others as well.  We are not under attack and our egde routers are handling the problem right now as you also state.

We will await Cisco...

Thank you for your feedback.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card