The Cisco router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

An XCCDF Rule

Description

<VulnDiscussion>Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-216744r531087_rule
Severity: Medium
References: CCI-001097
Updated: 17 days ago

Configure the external and internal ACLs to drop all fragmented ICMP packets destined to itself as shown in the example below.

RP/0/0/CPU0:R3(config)#ipv4 access-list EXTERNAL_ACL_INBOUND
RP/0/0/CPU0:R2(config-ipv4-acl)#25 deny icmp any host x.11.1.2 fragments log 

RP/0/0/CPU0:R3(config)#ipv4 access-list INTERNAL_ACL_INBOUNDRP/0/0/CPU0:R2(config-ipv4-acl)#5 deny icmp any host 10.1.12.2 fragments log 
Note: Ensure the above statement is before any permit statements for ICMP.

The Cisco router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

Description

Remediation - Manual Procedure