← Back to Juniper Router RTR Security Technical Implementation Guide

V-217020

CAT II (Medium)

The Juniper router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

Rule ID

SV-217020r604135_rule

STIG

Juniper Router RTR Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-001097

Discussion

Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.

Check Content

Review the filter that is applied inbound to the loopback interface and verify that it discards fragmented ICMP packets as shown in the example below.

firewall {
    family inet {
       …
       …
       …
        }
        filter DESTINED_TO_RE {
           …
           …
           …
            }
            term BLOCK_ICMP_FRAG {
                from {
                    is-fragment;
                    protocol icmp;
                }
                then {
                    discard;
                }
            }
            term ICMP_ANY {
                from {
                    protocol icmp;
                }
                then accept;
            }
            term DENY_BY_DEFAULT {
                then {
                    log;
                    discard;
                }
            }
        }
    }

If the router is not configured to filter to drop all fragmented ICMP packets destined to itself, this is a finding.

Fix Text

Configure the filter that is applied inbound to the loopback interface to drop all fragmented ICMP packets as shown in the example below.

[edit firewall family inet filter DESTINED_TO_RP]
set term BLOCK_ICMP_FRAG from protocol icmp is-fragment
set term BLOCK_ICMP_FRAG then discard
insert term BLOCK_ICMP_FRAG before term DENY_BY_DEFAULT