JUEX-RT-000390 - The Juniper router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

Information

Fragmented ICMP packets can be generated by hackers for denial-of-service (DoS) attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Ensure all routers have their receive path filter configured to drop all fragmented ICMP packets.

set policy-options prefix-list router-addresses-ipv4 <interface IPv4 address>/32
set firewall family inet filter protect_re term 1 from destination-prefix-list router-addresses-ipv4
set firewall family inet filter protect_re term 1 from protocol icmp
set firewall family inet filter protect_re term 1 from is-fragment
set firewall family inet filter protect_re term 1 then log
set firewall family inet filter protect_re term 1 then syslog
set firewall family inet filter protect_re term 1 then discard
<additional terms to account for all traffic destined for the RE>

set interfaces lo0 unit 0 family inet filter input protect_re

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7a., CAT|II, CCI|CCI-001097, CCI|CCI-004866, Rule-ID|SV-254011r997525_rule, STIG-ID|JUEX-RT-000390, Vuln-ID|V-254011

Plugin: Juniper

Control ID: 18d41004af934e0509b019293e1082a7e81cdd08b14d47a5a9a96063987a25c3