HomeNetwork SecurityBlackNurse Denial of Service Attack

BlackNurse Denial of Service Attack

BlackNurse Denial of Service Attack

Remember the days back in the 90s when you could cripple someones Internet connection simply by issuing a few PING command like “ping -t [target]”? This type of attack was only successful if the victim was on a dial-up modem connection. However, it turns out that a similar form of ICMP flooding can still be used to perform a denial of service attack; even when the victim is on a gigabit network.”

The Danish internet service provider TDC’S SOC team reported that flooding network devices is getting more popular than flooding the uplinks. During one of their attack analysis, they realized that flooding some of their customer’s devices with ICMP  packets  can disturb operations of the customers. They called this attack as BlackNurse Denial of Service Attack.  But, it is not similar with the conventional ICMP flood attack,though it is based on ICMP Type 3, Code 3 packets by using very low bandwidth.

When I heard about BlackNurse first time, it sounded so unreasonable 🙂 After doing some researches on test environment, the devices became unstable so transit traffic affected from the attack.

Another strange point is that it is not a vendor specific attack vector. As seen from affected product list below, there are several vendors suffering from Black Nurse.

Cisco ASA 5505, 5506, 5515, 5525 , 5540 

Cisco 6500 routers 

Cisco ASA 5550 (Legacy) and 5515-X (latest generation)

Cisco Router 897 


Some unverified Palo Alto

Palo Alto 5050 Firewalls with firmware 7.1.4-h2

Zyxel NWA3560-N

Zyxel Zywall USG50

FortiOS v5.4.1

Fortigate units 60c and 100D (even with drop ICMP on)

How to Attack

TDC’S SOC team suggest to use hping3  with following command;

hping3 -1 -C 3 -K 3 -i u20 <target ip>

It generates approximately 16kpps and 24 Mbps ICMP traffic with dual core workstation.

I use MZ (Mausezahn) which is free raw packet generator “written in C which allows you to send nearly every possible and impossible packet” with following parameters.

mz -B <target ip> -t icmp "unreach, code=3" -c 400000 -d 20

If your attack is successful, your management connection to the device will be down. That’s why, do not forget to add –count parameter with a definite count value.


By using MZ command that shared above, we observed 40kpps packet rate with an amount of 48 Mbps bandwidth.

We did two tests; one of them aimed to directly assigned IP address of the device, the other one was to aim NAT IPs on the device.

In spite of low volume, the results are very surprising as follows. The device started to struggle for 3-5 seconds, then it dropped transit traffic that is passing through it.

Picture1-Observation of BlackNurse Attack
Picture 1-Observation of BlackNurse Attack

Attack Surface

  • Check Point Devices

    Check Point reported that Check Point Security Gateways are not vulnerable to the “BlackNurse” attack.


  • Fortigate Devices

    On http://blacknurse.dk/ website, it is said that 60c and 100D units and  FortiOS v5.4.1 are affectted even with drop ICMP configuration. On the contrary, vendor side reported that FortiDDoS architecture can beat the attack even if an attacker changes the script to another combination of these types and codes.  If someone had already tried it, please share the results with me.



  • Palo Alto

    There are two ways to protect the device from being hit. One of them is enabling a Zone Protection Profile and appyling it to the ingress zone. Second one is to configure DDoS Protection Policy as Palo Alto advised in their reseach center.

I just had a chance to test DDoS protection policy. It can be easily applied to zones without any service interruption as follows.

Gallery 1 – How to Create and Apply DDoS Protection on Palo Alto

After enabling DDoS protection policy, we regenerate the attack scenario and observed from Palo Alto threat monitoring tab from web interface as follows.

Picture 3 - Monitoring Device Behaviour from Threat
Picture 2 – Monitoring Device Behaviour from Threat

The important point is that, the attacks which are coming to the directly connected interfaces of the device handled by Police engine as Untrust-to-Untrust traffic. That’s why do not forget to assign a Ddos protection policy from Untrust Zone to Untrust Zone.

Picture 2 - Monitoring Blocked
Picture 3 – Monitoring Blocked Packets by Policy Engine
  • By Using Snort Rules

    alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible BlackNurse attack from external source "; itype:3; icode:3; detection_filter:track by_dst, count 250, seconds 1; reference:url, soc.tdc.dk/blacknurse/blacknurse.pdf; priority:3; sid:88000012; rev:1;)
    alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible BlackNurse attack from internal source"; itype:3; icode:3; detection_filter:track by_dst, count 250, seconds 1; reference:url, soc.tdc.dk/blacknurse/blacknurse.pdf; priority:3; sid:88000013; rev:1;)

I haven’t test other vendors like Juniper, Fortigate and Cisco yet. As soon as I test, I will share from here.



Mitigating Black Nurse on Fortigate and Cisco is following.


If you have any suggestion or comment, kindly do not hesitate to ask me  from [email protected] or by leaving comment.




Ali Bay
Ali Bay
Sr. Network & Security Engineer



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments