The BlackNurse attacks focus on ICMP (Internet Control Message Protocol). This protocol was designed for networking devices like routers to communicate error messages. These same packets can be used to overwhelm the processors of certain types of firewalls. Regardless of the quality of the internet connections, these type of attacks requires a steady stream of 40k to 50k ICMP packets to reach the victim’s network equipment to maintain the attack. This means while the attack is ongoing, local users will no longer be able to send/receive traffic to/from the internet. TDC reported all firewalls they have seen were able to recover once the attack stopped.

Since this type of DoS technique doesn’t rely on flooding the firewall with traffic, but rather overwhelming the CPU it remains to be an efficient way of knocking servers offline, even those on large network pipes.

Fight back!

There are ways to fight back and protect your network from BlackNurse attacks even though some firewall companies don’t acknowledge it as a security issue just yet. Seeing that BlackNurse relies on ICMP, you can configure a list of trusted sources for this protocol. Or you can simply disable ICMP “Type3” and “Code3” on your WAN interface

Source:

TDC published a technical report here stating the BlackNurse attack is more traditionally known as a “ping flood attack” and is based on ICMP Type 3 (Destination Unreachable) and Code 4 (Port Unreachable) requests