Title

The Juniper router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself. (Cat II impact)

Discussion

Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.

Check Content

Review the firewall filter for the router receive path. Firewall filters applied to the loopback interface affects traffic destined for the Route Engine (RE) regardless of ingress interface. Individual firewall filters are also supported on each ingress interface. Note: Verify the firewall filter applied to the loopback interface addresses all traffic destined for the RE (e.g., BGP, OSPF, etc.). Verify that it will drop all fragmented ICMP packets destined to itself. For example: [edit policy-options] prefix-list router-addresses-ipv4 { <interface IPv4 address>/32; <other router interface addresses>; } [edit firewall family inet] filter protect_re { term 1 { from { destination-prefix-list { router-addresses-ipv4; } is-fragment; protocol icmp; } then { log; syslog; discard; } } <additional terms for RE destined traffic> } [edit interfaces lo0 unit 0] family inet { filter { input protect_re; } address <IPv4 address>/32; } Note: Some Juniper devices support both monolithic filters and filter lists. Filter lists separate each term, or set of terms, into a separate filter that is applied sequentially to an interface. If using filter lists, the keywords "input" or "output" change to "input-list" or "output-list". Verify the final list item is a deny-all filter. The deny-all filter is created once per family and can be reused across multiple lists. For example: input-list [ permit_mgt permit_routing_protocols default-deny ]; If the router is not configured with a receive-path filter to drop all fragmented ICMP packets, this is a finding. Note: If the platform does not support the receive path filter, verify that all layer 3 interfaces have an ingress filter to control what packets are allowed to be destined to the router for processing.

Fix Text

Ensure all routers have their receive path filter configured to drop all fragmented ICMP packets. set policy-options prefix-list router-addresses-ipv4 <interface IPv4 address>/32 set firewall family inet filter protect_re term 1 from destination-prefix-list router-addresses-ipv4 set firewall family inet filter protect_re term 1 from protocol icmp set firewall family inet filter protect_re term 1 from is-fragment set firewall family inet filter protect_re term 1 then log set firewall family inet filter protect_re term 1 then syslog set firewall family inet filter protect_re term 1 then discard <additional terms to account for all traffic destined for the RE> set interfaces lo0 unit 0 family inet filter input protect_re

Additional Identifiers

Rule ID: SV-254011r844066_rule

Vulnerability ID: V-254011

Group Title: SRG-NET-000205-RTR-000002

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.