Black Nurse DDoS attack
03/26/2020 9 11676
BlackNurse is a form of ICMP flood attack which may cause denial of service.
A properly configured next generation firewall is protected against BlackNurse attack.
BlackNurse is a low bandwidth ICMP attack which is highly capable of doing denial of service to firewalls.
The attack impact on firewall is typically high CPU loads.
Most ICMP attacks that we see are based on ICMP Type 8 Code 0 also called a ping flood attack.
Note that BlackNurse is based on ICMP with Type 3 Code 3 packets that can be highly effective even at low bandwidth
In case of an ongoing attack and if the firewall is not properly configured, there will be a spike in CPU load and users
from the LAN side may no longer be able to send/receive traffic to/from the Internet.
For best protection, it is recommended that customers enable "ICMP Flood Protection" in Firewall Settings.
In order to obtain further information please refer to Knowledge Base article SW10399 on UDP and ICMP Flood Protection
Also SonicOS 188.8.131.52 contains specific optimization that will automatically detect and prevent the attack.