The router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.
An XCCDF Rule
Description
Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.
- ID
- SV-207134r604135_rule
- Version
- SRG-NET-000205-RTR-000002
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
Ensure all routers have their receive path filter configured to drop all fragmented ICMP packets.