The Arista router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

An XCCDF Rule

Description

Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.

ID: SV-256017r882393_rule
Version: ARST-RT-000350
Severity: Medium
References: CCI-001097
Updated: 15 days ago

Remediation Templates

Ensure all Arista routers have their receive path filter configured to drop all fragmented ICMP packets.

Step 1: Configure the ACL to filter the fragmented ICMP packets destined to itself.

LEAF-1A(config)#ip access-list ICMP_FRAGMENTS
LEAF-1A(config-acl-ICMP_FRAGMENTS)# 10 deny ip any any fragmentsLEAF-1A(config-acl-ICMP_FRAGMENTS)# 20 permit ip any any 
LEAF-1A(config-acl-ICMP_FRAGMENTS)# exit 

Step 2: Apply the ACL to the external interfaces.

LEAF-1A(config)#interface ethernet 5
LEAF-1A(config-if-Et5)# ip access-group ICMP_FRAGMENTS in

The Arista router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

Description

Remediation Templates

A Manual Procedure