6.16 Ensure Ping Record Route is Set to Disabled

Information

The Routing Engine should ignore Echo Requests with the Record Route option set.

Rationale:

When the Record Route Option is set on an Echo Request (ping), the hosts processing the packet should record their Interface addresses and a Timestamp on the response packet as it traverses the network (up to 9 hops) allowing the host that made the request to see the path that the response takes through the network, including discovering details of Provider Edge (PE) switches in MPLS VPN services and Loopback Interfaces.

Attackers may use Echo Requests with the Record Route option set during recognizance of a network to obtain details of the networks topology,

The Record Route Option is considered to be largely deprecated, with no valid uses expected in almost all production networks; therefore, the JUNOS Device should be configured not to to include these details when responding to Echo Requests with the Record Route Option set.

Impact:

ICMP Echo Requests (pings) with the Record Route Option set will still receive a response (unless blocked elsewhere), but the JUNOS Device will not return the additional Route and Interface details.

Solution

To disable reporting of Interface details in responses to Echo Requests with the Record Route option set, issue the following command from the [edit system] hierarchy;

[edit system]
user@host#set no-ping-record-route

Default Value:

By default the Routing Engine responds to Echo Requests with the Record Route option set, adding the receiving interfaces IP address to the header of the packet.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv7|9.2

Plugin: Juniper

Control ID: bff4b2e648122855398b61f8737c2235dee25b7e461c392bb6d617164ce1bd14