Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Low-Bandwidth “BlackNurse” DDoS Attacks Can Disrupt Firewalls

Researchers warn that certain types of low bandwidth distributed denial-of-service (DDoS) attacks can cause some widely used enterprise firewalls to enter a temporary DoS condition.

Researchers warn that certain types of low bandwidth distributed denial-of-service (DDoS) attacks can cause some widely used enterprise firewalls to enter a temporary DoS condition.

While analyzing DDoS attacks aimed at their customers, experts at the security operations center of Danish telecom operator TDC noticed that some attacks based on the Internet Control Message Protocol (ICMP) can cause serious disruptions even over low bandwidths.

ICMP attacks, also known as ping flood attacks, are highly common, but they typically rely on Type 8 Code 0 packets. The attacks that caught TDC’s attention are based on ICMP Type 3 Code 3 packets.

The attacks, dubbed by the company “BlackNurse,” can be highly effective even at bandwidths as low as 15-18 Mbps and they can cause disruptions to firewalls even if the victim has an Internet connection of 1 Gbps.

“The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the LAN side will no longer be able to send /receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops,” TDC explained in a report detailing BlackNurse attacks.

“We know that a small number (1 to many) of internet connections with uplink speed of around 15-18 Mbit/s can keep large companies or organisations under DoS / DDoS until they mitigate the attack,” it added.

Experts pointed out that this type of attack has been around for more than 20 years, but they believe organizations are not sufficiently aware of the risks. A scan of the Danish IP address space revealed that there were over 1.7 million devices responding to ICMP pings, which means these attacks can have a significant impact.

Researchers have so far confirmed that BlackNurse attacks work against Cisco ASA and SonicWall firewalls, but they likely also affect products from Palo Alto Networks and other vendors. The Iptables firewall utility for Linux, MikroTik products and OpenBSD are not affected.

While in some cases attacks might be possible due to a vulnerability in the firewall, some vendors blamed a configuration problem. Detection rules and proof-of-concept (PoC) code have been made available to allow users to identify attacks and test their equipment.

SecurityWeek has reached out to affected vendors, including Cisco, Palo Alto Networks and SonicWall, for comment.

Palo Alto Networks has published a blog post saying that its customers are only affected in very specific, non-default scenarios that contravene best practices. 

SonicWall is listed in the affected products section on the BlackNurse website, with the mention that attacks are possible when the firewall is misconfigured. SonicWall told SecurityWeek that it has been in touch with TDC. The vendor’s testing showed that its firewalls are not vulnerable with normal ICMP flood protection on.

Cisco was notified about these attacks in June, but TDC said the company decided not to classify the issue as a security flaw.

“Cisco is aware of a new Denial-of-Service (DOS) type of attack that may target firewalls, including select Cisco ASA devices. This issue is not vendor-specific, and the attack does not exploit a security vulnerability. In the event of an attack, the mentioned ASA devices continue to enforce the configured security policy, and there is not a compromise,” Cisco said in a statement sent to SecurityWeek

Cisco’s approach to security begins when a product is conceived and continues all the way through its deployment. For the select ASA firewalls noted in this study, protection against DOS threats is multi-layered, and we work with our customers to ensure the DOS security is accounted for further upstream in the network as a best practice,” the company added.

In the case of Cisco ASA firewalls, TDC recommends denying ICMP Type 3 messages sent to the product’s WAN interface or upgrading to more high-end ASA firewalls that have multiple CPU cores as BlackNurse attacks are not as effective against these types of systems. Attacks can also be mitigated using professional anti-DDoS services.

*Updated with clarifications from SonicWall, Palo Alto Networks and a statement from Cisco

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.