Title

The Cisco ACI must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself. (Cat II impact)

Discussion

Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.

Check Content

If this review is for the DODIN Backbone, mark as not applicable. Review the external and internal ACLs to verify that the router is configured to only allow specific management and control plane traffic from specific sources destined to itself. 1. Navigate Tenant >> Contract >> Filter. 2. Select the "Drop Fragmented ICMP") filter. 3. Verify ICMP and Fragmented are selected to be denied. If all fragmented ICMP packets destined to itself are not dropped, this is a finding.

Fix Text

Ensure this deny rule is placed before any permit rules for ICMP traffic to ensure that fragmented ICMP packets are dropped first. 1. Navigate Tenant >> Contract >> Filter. 2. Create or edit a filter (e.g., "Drop Fragmented ICMP"). 3. Set Match to include: Protocol: ICMP Fragmentation: "Fragmented" 4. Set Action to "Deny".

Additional Identifiers

Rule ID: SV-272079r1064587_rule

Vulnerability ID: V-272079

Group Title: SRG-NET-000205-RTR-000002

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.