IP Packet Protection

As packets traverse different networks, it is sometimes necessary to break a packet into smaller pieces (fragments) based upon the maximum transmission unit (MTU) of each network. IP fragments might contain an attacker's attempt to exploit the vulnerabilities in the packet reassembly code of specific IP stack implementations. When the victim receives these packets, the results can range from processing the packets incorrectly to crashing the entire system. See Figure 1.

Figure 1: IP Packet Fragments

When you enable Junos OS to deny IP fragments on a security zone, it blocks all IP packet fragments that it receives at interfaces bound to that zone.

In IPv6 packets, fragment information is not present in the IPv6 header. The fragment information is present in the fragment extension header, which is responsible for IPv6 fragmentation and reassembly. The source node inserts the fragment extension header between the IPv6 header and the payload header if fragmentation is required. See Figure 2.

Figure 2: IPv6 Packet

The general format of the fragment extension header is shown in Figure 3.

Figure 3: Fragment Extension Header

This example shows how to drop fragmented IP packets.

The IP standard RFC 791, Internet Protocol, specifies a set of eight options that provide special routing controls, diagnostic tools, and security. Although the original, intended uses for these options served worthy ends, people have figured out ways to twist these options to accomplish less commendable objectives.

Either intentionally or accidentally, attackers sometimes configure IP options incorrectly, producing either incomplete or malformed fields. Regardless of the intentions of the person who crafted the packet, the incorrect formatting is anomalous and potentially harmful to the intended recipient. See Figure 4.

Figure 4: Incorrectly Formatted IP Options

When you enable the bad IP option protection screen option, Junos OS blocks packets when any IP option in the IP packet header is incorrectly formatted. Additionally, Junos OS records the event in the event log.

This example shows how to block large ICMP packets with incorrectly formatted options.

Based on the latest IANA protocol numbers document, the protocol types with ID numbers of 143 or greater are reserved and undefined at this time. Precisely because these protocols are undefined, there is no way to know in advance if a particular unknown protocol is benign or malicious.

Unless your network makes use of a nonstandard protocol with an ID number of 143 or greater, a cautious stance is to block such unknown elements from entering your protected network. See Figure 5.

Figure 5: Unknown Protocols

When you enable the unknown protocol protection screen option, Junos OS drops packets when the protocol field contains a protocol ID number of 143 or greater by default.

This example shows how to drop packets using an unknown protocol.

Junos OS provides the administrative option to configure an allowlist of trusted IP addresses on IP block fragment screen. When you enable IP block fragmentation in a zone, Junos OS denies IP fragments and blocks all IP packet fragments. All the fragmented IP packets will be dropped. To avoid these packets dropping and instead allow these packets to bypass the IP block fragmentation check, you must configure IP block fragment allowlist.

When you configure allowlist on IP block fragment screen, the traffic from source addresses in the allowlist groups bypasses the IP block fragmentation check. IP block fragment allowlist supports both IPv4 and IPv6 addresses and in each allowlist, there can be up to 32 IP address prefixes. You can configure single address or subnet address.