please note also that

stephendrkw · ‎11-17-2016

Does anyone know what Cisco products are affected by Blacknurse ICMP flooding?

The only documents I can see from Cisco is https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc07227/?referring_site=s

ASA is the only product though if you read http://blacknurse.dk/ products including Cisco are been added daily.

I plan to apply on our ASR1002-X routers.......... icmp unreachable rate-limit 1 burst 1...for ICMP type 3

Do you think this would be a good idea or is not required, as Cisco have not listed my Router!

ROBERTO TACCON · ‎11-17-2016

Please ntoe that if you have firewall feature enabled (ZBF) still be a problem.

For example check the Cisco ASA:

http://www.blacknurse.dk/testresults.txt

- When mitigating using:

icmp deny any unreachable outside
icmp deny any time outside

the reduction in load is less than 50% on packets towards the ASA outside IP, but it does not affect the load of packets towards hosts behind the ASA550. On 5515-X it did not prevent 100% CPU on 50k packets per second with type 3 ICMP packets.

stephendrkw · ‎11-18-2016

Thanks for this excellent information Roberto.

ROBERTO TACCON · ‎11-18-2016

please note also that

1)

the bug does not affect only ICMP type 3 code 3

http://www.blacknurse.dk/blacknurse.pdf

2)

http://www.blacknurse.dk/Gupta.txt

We would kindly like to inform you about some interesting results in our experiments with "unassigned" icmp-types

http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml

When flooding cisco asa's (a handfull older as well newer models) with "unassigned" icmp type=1, type=2, etc it seems that the asa is computing the "number of connections / sec" differently:
    
X "normal" ICMP's / sec => X connections / sec
    
BUT
    
X "unassigned" ICMP's / sec => one single connection !
    
in other words: DOS-flooding with "unassigned" types is INVISIBLE in the asa connection statistics ;-)