JUNI-RT-000140 - The Juniper router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

Information

Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure the filter that is applied inbound to the loopback interface to drop all fragmented ICMP packets as shown in the example below.

[edit firewall family inet filter DESTINED_TO_RP]
set term BLOCK_ICMP_FRAG from protocol icmp is-fragment
set term BLOCK_ICMP_FRAG then discard
insert term BLOCK_ICMP_FRAG before term DENY_BY_DEFAULT

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_Router_Y24M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7a., CAT|II, CCI|CCI-001097, Rule-ID|SV-217020r604135_rule, STIG-ID|JUNI-RT-000140, STIG-Legacy|SV-101035, STIG-Legacy|V-90825, Vuln-ID|V-217020

Plugin: Juniper

Control ID: d7326a8700af8e14ac05a43cc088b54d3e694e50e341696e336dad003d1cd6b4