The Juniper router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

An XCCDF Rule

Description

Fragmented ICMP packets can be generated by hackers for denial-of-service (DoS) attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.

ID: SV-254011r997525_rule
Version: JUEX-RT-000390
Severity: Medium
References: CCI-001097 CCI-004866
Updated: 5 days ago

Remediation Templates

Ensure all routers have their receive path filter configured to drop all fragmented ICMP packets.

set policy-options prefix-list router-addresses-ipv4 <interface IPv4 address>/32
set firewall family inet filter protect_re term 1 from destination-prefix-list router-addresses-ipv4
set firewall family inet filter protect_re term 1 from protocol icmp
set firewall family inet filter protect_re term 1 from is-fragmentset firewall family inet filter protect_re term 1 then log
set firewall family inet filter protect_re term 1 then syslog
set firewall family inet filter protect_re term 1 then discard
<additional terms to account for all traffic destined for the RE>

set interfaces lo0 unit 0 family inet filter input protect_re

The Juniper router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

Description

Remediation Templates

A Manual Procedure