Dan Goodin writes in New attack reportedly lets 1 modest laptop knock big servers offline that Danish security company TDC has identified "BlackNurse", a relatively low-bandwidth attack that uses ICMP type 3 code 3 packets. TDC reports (PDF) that the attack causes firewall CPU saturation:
BlackNurse is based on ICMP with Type 3 Code 3 packets. We know that when a user has allowed ICMP Type 3 Code 3 to outside interfaces, the BlackNurse attack becomes highly effective even at low bandwidth. Low bandwidth is in this case around 15-18 Mbit/s. This is to achieve the volume of packets needed which is around 40 to 50K packets per second. It does not matter if you have a 1Gbit/s Internet connection. The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops.ICMP type 3 code 3 means "port unreachable" is true but "net unreachable" and "host unreachable" are false. Why would handling "net unreachable" and "host unreachable" be cheap but "port unreachable" be expensive? According to Johannes Ullrich:
this is likely due to the firewall attempting to perform stateful analysis of these packets. ICMP unreachable packets include as payload the first few bytes of the packet that caused the error. A firewall can use this payload to determine if the error is caused by a legit packet that left the network in the past. This analysis can take significant resources.Again we see that expensive operations with cheap requests create a vulnerability that requires mitigation. In this case rate limiting the ICMP type 3 code 3 packets that get checked is perhaps the best that can be done.