Title

The Juniper router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself. (Cat II impact)

Discussion

Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.

Check Content

Review the filter that is applied inbound to the loopback interface and verify that it discards fragmented ICMP packets as shown in the example below. firewall { family inet { … … … } filter DESTINED_TO_RE { … … … } term BLOCK_ICMP_FRAG { from { is-fragment; protocol icmp; } then { discard; } } term ICMP_ANY { from { protocol icmp; } then accept; } term DENY_BY_DEFAULT { then { log; discard; } } } } If the router is not configured to filter to drop all fragmented ICMP packets destined to itself, this is a finding.

Fix Text

Configure the filter that is applied inbound to the loopback interface to drop all fragmented ICMP packets as shown in the example below. [edit firewall family inet filter DESTINED_TO_RP] set term BLOCK_ICMP_FRAG from protocol icmp is-fragment set term BLOCK_ICMP_FRAG then discard insert term BLOCK_ICMP_FRAG before term DENY_BY_DEFAULT

Additional Identifiers

Rule ID: SV-217020r604135_rule

Vulnerability ID: V-217020

Group Title: SRG-NET-000205-RTR-000002

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.