The Juniper router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-254011 | JUEX-RT-000390 | SV-254011r997525_rule | Medium |
| Description |
| Fragmented ICMP packets can be generated by hackers for denial-of-service (DoS) attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped. |
| STIG | Date |
| Juniper EX Series Switches Router Security Technical Implementation Guide | 2024-06-10 |
Details
| Check Text (C-57463r844064_chk) |
| Review the firewall filter for the router receive path. Firewall filters applied to the loopback interface affects traffic destined for the Route Engine (RE) regardless of ingress interface. Individual firewall filters are also supported on each ingress interface. Note: Verify the firewall filter applied to the loopback interface addresses all traffic destined for the RE (e.g., BGP, OSPF, etc.). Verify that it will drop all fragmented ICMP packets destined to itself. For example: [edit policy-options] prefix-list router-addresses-ipv4 { <interface IPv4 address>/32; <other router interface addresses>; } [edit firewall family inet] filter protect_re { term 1 { from { destination-prefix-list { router-addresses-ipv4; } is-fragment; protocol icmp; } then { log; syslog; discard; } } <additional terms for RE destined traffic> } [edit interfaces lo0 unit 0] family inet { filter { input protect_re; } address <IPv4 address>/32; } Note: Some Juniper devices support both monolithic filters and filter lists. Filter lists separate each term, or set of terms, into a separate filter that is applied sequentially to an interface. If using filter lists, the keywords "input" or "output" change to "input-list" or "output-list". Verify the final list item is a deny-all filter. The deny-all filter is created once per family and can be reused across multiple lists. For example: input-list [ permit_mgt permit_routing_protocols default-deny ]; If the router is not configured with a receive-path filter to drop all fragmented ICMP packets, this is a finding. Note: If the platform does not support the receive path filter, verify that all layer 3 interfaces have an ingress filter to control what packets are allowed to be destined to the router for processing. |
| Fix Text (F-57414r844065_fix) |
| Ensure all routers have their receive path filter configured to drop all fragmented ICMP packets. set policy-options prefix-list router-addresses-ipv4 <interface IPv4 address>/32 set firewall family inet filter protect_re term 1 from destination-prefix-list router-addresses-ipv4 set firewall family inet filter protect_re term 1 from protocol icmp set firewall family inet filter protect_re term 1 from is-fragment set firewall family inet filter protect_re term 1 then log set firewall family inet filter protect_re term 1 then syslog set firewall family inet filter protect_re term 1 then discard <additional terms to account for all traffic destined for the RE> set interfaces lo0 unit 0 family inet filter input protect_re |