Check: CISC-RT-000140
Cisco IOS XE Router RTR STIG:
CISC-RT-000140
(in versions v2 r8 through v1 r2)
Title
The Cisco router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself. (Cat II impact)
Discussion
Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.
Check Content
Review the external and internal ACLs to verify that the router is configured to drop all fragmented ICMP packets destined to itself. ip access-list extended EXTERNAL_ACL permit tcp host x.11.1.1 eq bgp host x.11.1.2 permit tcp host x.11.1.1 host x.11.1.2 eq bgp deny icmp any host x.11.1.2 fragments permit icmp host x.11.1.1 host x.11.1.2 echo … … deny ip any any ! ip access-list extended INTERNAL_ACL deny icmp any host 10.1.12.2 fragments permit icmp any any Note: Ensure the statement to deny ICMP fragments is before any permit statements for ICMP. If the router is not configured to drop all fragmented ICMP packets destined to itself, this is a finding.
Fix Text
Configure the external and internal ACLs to drop all fragmented ICMP packets destined to itself as shown in the example below: R1(config)#ip access-list extended EXTERNAL_ACL R1(config-ext-nacl)#deny icmp any host x.11.1.2 fragments R1(config)#ip access-list extended INTERNAL_ACL R1(config-ext-nacl)#deny icmp any host 10.1.12.2 fragments Note: Ensure the above statement is before any permit statements for ICMP.
Additional Identifiers
Rule ID: SV-216652r531086_rule
Vulnerability ID: V-216652
Group Title: SRG-NET-000205-RTR-000002
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001097 |
The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system. |
Controls
Number | Title |
---|---|
SC-7 |
Boundary Protection |