CISC-RT-000170 - The Cisco router must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces - DODIN Backbone

Information

The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Host unreachable ICMP messages are commonly used by attackers for network mapping and diagnosis.

Solution

Disable ip unreachables on all external interfaces as shown below.

RP/0/0/CPU0:R3(config)#int g0/0/0/1
RP/0/0/CPU0:R3(config-if)#ipv4 unreachables disable

Alternative - DODIN Backbone

Configure the PE router to rate limit ICMP unreachable messages as shown in the example below.

RP/0/0/CPU0:R3(config)#icmp ipv4 rate-limit unreachable df 1000
RP/0/0/CPU0:R3(config)#icmp ipv4 rate-limit unreachable 60000
RP/0/0/CPU0:R3(config)#end

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XR_Router_Y24M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5, CAT|II, CCI|CCI-002385, Rule-ID|SV-216746r856437_rule, STIG-ID|CISC-RT-000170, STIG-Legacy|SV-105837, STIG-Legacy|V-96699, Vuln-ID|V-216746

Plugin: Cisco

Control ID: 2386852b1332c0d0dea9cec3e7f109a5c586a2a142f1e6d584170f10b077e9c4