The Juniper router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-217020 | JUNI-RT-000140 | SV-217020r604135_rule | CCI-001097 | medium |
| Description | ||||
| Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped. | ||||
| STIG | Date | |||
| Juniper Router RTR Security Technical Implementation Guide | 2024-12-05 | |||
Details
Check Text (C-217020r604135_chk)
Review the filter that is applied inbound to the loopback interface and verify that it discards fragmented ICMP packets as shown in the example below.
firewall {
family inet {
…
…
…
}
filter DESTINED_TO_RE {
…
…
…
}
term BLOCK_ICMP_FRAG {
from {
is-fragment;
protocol icmp;
}
then {
discard;
}
}
term ICMP_ANY {
from {
protocol icmp;
}
then accept;
}
term DENY_BY_DEFAULT {
then {
log;
discard;
}
}
}
}
If the router is not configured to filter to drop all fragmented ICMP packets destined to itself, this is a finding.
Fix Text (F-18247r296929_fix)
Configure the filter that is applied inbound to the loopback interface to drop all fragmented ICMP packets as shown in the example below.
[edit firewall family inet filter DESTINED_TO_RP]
set term BLOCK_ICMP_FRAG from protocol icmp is-fragment
set term BLOCK_ICMP_FRAG then discard
insert term BLOCK_ICMP_FRAG before term DENY_BY_DEFAULT