Configuring ICMP Fragment Screen
This topic describes how to configure detection of an ICMP fragment attack.
If an ICMP packet is large, then it must be fragmented. When the ICMP fragment protection screen option is enabled, the Junos OS blocks any ICMP packet that has many fragment flags set or that has an offset value indicated in the offset field.
Configure the security screen option and attach it to the untrustZone as follows:
[edit] user@host# set security screen ids-option untrustScreen icmp fragment user@host# set security zones security-zone untrustZone screen untrustScreen user@host# set security screen ids-option untrustScreen alarm-without-drop