A single laptop can take down high-bandwidth enterprise firewall by using an attack known as BlackNurse, which uses ICMP type 3 (destination unreachable) code 3 (port unreachable) packets. It would take between 40k-50k per second of these types of packets to overload the firewall. The bandwidth required to generate this type of attack requires only between 15Mbps and 18Mbps.
The attack causes high CPU loads which causes users from the LAN side to be unable to communicate with the internet. This attack was successfully tested using Cisco ASA firewalls in default settings. Firewalls from Palo Alto Networks, SonicWall, and Zyxel Comm. are also impacted, but only if settings are misconfigured.
In order to mitigate an attack like this would need ICMP Type 3 Code 3 on the WAN interface to be disabled. Enabling ICMP Flood in the firewall’s DoS protection profile can also mitigate this type of attack.
Article: http://www.csoonline.com/article/3141299/security/dos-technique-lets-a-single-laptop-take-down-an-enterprise-firewall.html
Brent Easley says
Interesting article, Security professionals have to deal with individuals attacking their networks from the outside but it is a different animal when just a single laptop can shut down your whole network crippling your day to day activities.