The Juniper router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

An XCCDF Rule

Description

<VulnDiscussion>Fragmented ICMP packets can be generated by hackers for denial-of-service (DoS) attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-254011r997525_rule
Severity: Medium
References: CCI-001097 CCI-004866
Updated: 17 days ago

Ensure all routers have their receive path filter configured to drop all fragmented ICMP packets.

set policy-options prefix-list router-addresses-ipv4 <interface IPv4 address>/32
set firewall family inet filter protect_re term 1 from destination-prefix-list router-addresses-ipv4
set firewall family inet filter protect_re term 1 from protocol icmp
set firewall family inet filter protect_re term 1 from is-fragmentset firewall family inet filter protect_re term 1 then log
set firewall family inet filter protect_re term 1 then syslog
set firewall family inet filter protect_re term 1 then discard
<additional terms to account for all traffic destined for the RE>

set interfaces lo0 unit 0 family inet filter input protect_re

The Juniper router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

Description

Remediation - Manual Procedure