Details
ICMP Source Quench messages should be ignored.
Rationale:
ICMP Source Quench messages are intended to allow a host to request that a peer with which it is communicating slows down the transmission of new data because the host is being overwhelmed.
Several recorded vulnerabilities have shown how Source Quench messages may be abused by an attacker to create a DoS attack, causing the router to slow down transmission of data to one, several or all destinations. Due to these vulnerabilities, and the general ineffectiveness of Source Quench for congestion control, RFC6633 deprecated its use and ICMP Source Quench should be disabled.
Impact:
ICMP Source Quench is deprecated and there is no valid reason for ICMP Source Quench to be present on a modern network.
Solution
Configure the JUNOS Device to ignore ICMP source-quench messages by issuing the following command from the [edit system internet-options] hierarchy.
[edit system internet-options]
[email protected]#set no-source-quench
Default Value:
By default the router does not ignore ICMP Source Quench messages.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Juniper.