CISC-RT-000140 - The Cisco router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself - ICMP packets destined to itself

Information

Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.

Solution

Configure the external and internal ACLs to drop all fragmented ICMP packets destined to itself as shown in the example below.

RP/0/0/CPU0:R3(config)#ipv4 access-list EXTERNAL_ACL_INBOUND
RP/0/0/CPU0:R2(config-ipv4-acl)#25 deny icmp any host x.11.1.2 fragments log

RP/0/0/CPU0:R3(config)#ipv4 access-list INTERNAL_ACL_INBOUND
RP/0/0/CPU0:R2(config-ipv4-acl)#5 deny icmp any host 10.1.12.2 fragments log
Note: Ensure the above statement is before any permit statements for ICMP.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_NX-OS_Switch_Y24M10_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7a., CAT|II, CCI|CCI-001097, Rule-ID|SV-216744r531087_rule, STIG-ID|CISC-RT-000140, STIG-Legacy|SV-105833, STIG-Legacy|V-96695, Vuln-ID|V-216744

Plugin: Cisco

Control ID: d3bb0fe5e612b7bd2cb162c89a115a5f7b725ee479dc06df518b85d2871f169c