Title

The Cisco ACI must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself. (Cat II impact)

Discussion

Fragmented ICMP packets can be generated by hackers for denial-of-service (DoS) attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.

Check Content

If this review is for the DODIN Backbone, mark as Not Applicable. When creating a contract, create a Deny statement that looks at all the fragmented bits and denies only those packets. Review the following two locations: Option 1: Review any standard contract (whitelist) with an explicit deny for the fragment bit to counter act any allows. Tenant >> Contracts >> Standard >> {{your_Contract}} >> {{your_contract_Subject}} >> Policy >> General >> Filters >> create/ add a deny for ICMP traffic. The filter entries should include the following: Ethertype set to IP/ipv6, IP Protocol set to ICMP/ICMPv6, and the Match Only Fragments box checked. Option 2: Review any taboo contract (blacklist) for the fragment bits: Tenant >> Contracts >> Taboo >> {{your_Contract}} >> Policy >> General >> {{your_contract_Subject}} >> Filters >> create/ add a deny for ICMP traffic. The filter entries should include the following: Ethertype set to IP/ipv6, IP Protocol set to ICMP/ICMPv6, and the Match Only Fragments box checked3. Verify ICMP and Fragmented are selected to be denied. If all fragmented ICMP packets destined to Cisco ACI IP addresses are not dropped, this is a finding.

Fix Text

Place the deny rule before any permit rules for ICMP traffic to ensure fragmented ICMP packets are dropped first. When you are creating a contract you would want to create a Deny statement that looks at all the fragmented bits and denies only those packets. There are 2 ways to do this. Option 1: Create a standard contract (whitelist) with an explicit deny for the fragment bit to counter act any allows. Navigate to the following location and configure settings: Tenant >> Contracts >> Standard >> {{your_Contract}} >> {{your_contract_Subject}} >> Policy >> General >> Filters >> create/ add a deny for ICMP traffic. The filter entries should include the following: Ethertype set to IP/ipv6, IP Protocol set to ICMP/ICMPv6, and the Match Only Fragments box checked. Option 2: Create a taboo contract (blacklist) for the fragment bits by navigating to the following location: Tenant >> Contracts >> Taboo >> {{your_Contract}} >> Policy >> General >> {{your_contract_Subject}} >> Filters >> create/ add a deny for ICMP traffic. The filter entries should include the following: Ethertype set to IP/ipv6, IP Protocol set to ICMP/ICMPv6, and the Match Only Fragments box checked.

Additional Identifiers

Rule ID: SV-272079r1168423_rule

Vulnerability ID: V-272079

Group Title: SRG-NET-000205-RTR-000002

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.