The Arista router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

An XCCDF Rule

Description

<VulnDiscussion>Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-256017r882393_rule
Severity: Medium
References: CCI-001097
Updated: 17 days ago

Ensure all Arista routers have their receive path filter configured to drop all fragmented ICMP packets.

Step 1: Configure the ACL to filter the fragmented ICMP packets destined to itself.

LEAF-1A(config)#ip access-list ICMP_FRAGMENTS
LEAF-1A(config-acl-ICMP_FRAGMENTS)# 10 deny ip any any fragmentsLEAF-1A(config-acl-ICMP_FRAGMENTS)# 20 permit ip any any 
LEAF-1A(config-acl-ICMP_FRAGMENTS)# exit 

Step 2: Apply the ACL to the external interfaces.

LEAF-1A(config)#interface ethernet 5
LEAF-1A(config-if-Et5)# ip access-group ICMP_FRAGMENTS in

The Arista router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

Description

Remediation - Manual Procedure