6.5.3 Ensure ICMP Source-Quench is Set to Disabled

Information

ICMP Source Quench messages should be ignored.

Rationale:

ICMP Source Quench messages are intended to allow a host to request that a peer with which it is communicating slows down the transmission of new data because the host is being overwhelmed.

Several recorded vulnerabilities have shown how Source Quench messages may be abused by an attacker to create a DoS attack, causing the router to slow down transmission of data to one, several or all destinations. Due to these vulnerabilities, and the general ineffectiveness of Source Quench for congestion control, RFC6633 deprecated its use and ICMP Source Quench should be disabled.

Impact:

ICMP Source Quench is deprecated and there is no valid reason for ICMP Source Quench to be present on a modern network.

Solution

Configure the JUNOS Device to ignore ICMP source-quench messages by issuing the following command from the [edit system internet-options] hierarchy.

[edit system internet-options]
user@host#set no-source-quench

Default Value:

By default the router does not ignore ICMP Source Quench messages.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|11

Plugin: Juniper

Control ID: f79e2a936d582745cef55a38b97d9105107a2da322a28efad8c48098a9cc82fc