Traditional Distributed Denial of Service (DDoS) attacks usually flood target network servers with malicious traffic. This would generally require a set of attack hosts and large network traffic volume to be able to crash or degrade the performance of target servers causing service disruptions. Recently, new types of DDoS attacks have emerged and target specifically network security devices, mainly firewalls and intrusion prevention systems (IPS). In contrast to traditional DDoS attacks, these emerging attacks use low volume of malicious traffic. This paper is concerned solely with an emerging denial of firewalling attack, called the BlackNurse attack. This new attack uses special formatted ICMP packets to overwhelm the CPUs on targeted firewalls. This paper offers detailed insights into the understanding of the BlackNurse attack principles, practical attack generation, and its general effect on impacted firewalls and the network behind them. Performance evaluations are conducted on commercial grade Juniper NetScreen SSG 20 and Cisco ASA 5540 firewalls to measure the harmfulness of the BlackNurse attack when subjected to each of them. In addition, available attack mitigations pros and cons are discussed. OS screening features on Juniper NetScreen SSG 20 are used, as example, to test their effectiveness in thwarting the attack.