This topic describes how to configure detection of an
ICMP fragment attack.
If an ICMP packet is large, then it must be fragmented. When
the ICMP fragment protection screen option is enabled, the Junos OS
blocks any ICMP packet that has many fragment flags set or that has
an offset value indicated in the offset field.
To enable detection of an ICMP fragment IDS attack:
- Configure interfaces and assign an IP address to interfaces.
[edit]
user@host# set interfaces ge-0/0/1 unit 0 family inet address 192.0.2.0/24
user@host# set interfaces ge-0/0/3 unit 0 family inet address 198.51.100.0/24
- Configure security zones trustZone and untrustZone and assign interfaces
to them.
[edit]
user@host# set security zones security-zone trustZone host-inbound-traffic system-services all
user@host# set security zones security-zone trustZone host-inbound-traffic protocols all
user@host# set security zones security-zone trustZone interfaces ge-0/0/1.0
user@host# set security zones security-zone untrustZone host-inbound-traffic system-services all
user@host# set security zones security-zone untrustZone host-inbound-traffic protocols all
user@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0
- Configure security policies from untrustZone to trustZone.
[edit]
user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match source-address any
user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match destination-address any
user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match application any
user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then permit
user@host# set security policies default-policy deny-all
- Configure security screens and attach them to untrustZone.
[edit]
user@host# set security screen ids-option untrustScreen icmp fragment
user@host# set security zones security-zone untrustZone screen untrustScreen
user@host# set security screen ids-option untrustScreen alarm-without-drop
- Configure syslog.
[edit]
user@host# set system syslog file syslog any any
user@host# set system syslog file syslog archive size 10000000
user@host# set system syslog file syslog explicit-priority
user@host# set system syslog file syslog structured-data
user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-init
user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-close
- Commit the configuration.