The Cisco switch must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

An XCCDF Rule

Details
Profiles

Description

Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.

ID: SV-221081r999690_rule
Version: CISC-RT-000140
Severity: Medium
References: CCI-001097
Updated: 6 days ago

Remediation Templates

Configure the external and internal ACLs to drop all fragmented ICMP packets destined to itself as shown in the example below:

SW1(config)# ip access-list EXTERNAL_ACL
SW1(config-acl)# 35 deny icmp any host x.11.1.2 fragments log
SW1(config-acl)# exit
SW1(config)# ip access-list INTERNAL_ACL
SW1(config-acl)# 25 deny icmp any host 10.1.12.2 fragments log
SW1(config-acl)# end

Note: Ensure the above statement is before any permit statements for ICMP.

The Cisco switch must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

Description

Remediation Templates

A Manual Procedure