Configuring Ping-Of-Death Attack Screen
This topic describes how to configure detection of ping-of-death attack.
The IP datagram with the protocol field of the IP header is set to 1 (ICMP), the last fragment bit is set, and (IP offset * 8) + (IP data length) > 65535. The IP offset (which represents the starting position of this fragment in the original packet, and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet.
Configure the security screen option and attach it to the untrustZone as follows:
[edit] user@host# set security screen ids-option untrustScreen icmp ping-death user@host# set security zones security-zone untrustZone screen untrustScreen user@host# set security screen ids-option untrustScreen alarm-without-drop