The Cisco switch must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.
An XCCDF Rule
Description
<VulnDiscussion>Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-221081r999690_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configure the external and internal ACLs to drop all fragmented ICMP packets destined to itself as shown in the example below:
SW1(config)# ip access-list EXTERNAL_ACL
SW1(config-acl)# 35 deny icmp any host x.11.1.2 fragments log
SW1(config-acl)# exit