Check: CISC-RT-000140
Cisco IOS XR Router RTR STIG:
CISC-RT-000140
(in versions v2 r4 through v1 r2)
Title
The Cisco router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself. (Cat II impact)
Discussion
Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.
Check Content
Review the external and internal ACLs to verify that the router is configured to drop all fragmented ICMP packets destined to itself. ipv4 access-list EXTERNAL_ACL_INBOUND 10 permit tcp host x.11.1.1 eq bgp host x.11.1.2 20 permit tcp host x.11.1.1 host x.11.1.2 eq bgp 25 deny icmp any host x.11.1.2 fragments log 30 permit icmp host x.11.1.1 host x.11.1.2 echo 40 permit icmp host x.11.1.1 host x.11.1.2 echo-reply 50 deny ipv4 any host x.11.1.1 log 60 permit tcp any any established … … … 140 deny ipv4 any any log ! ipv4 access-list INTERNAL_ACL_INBOUND 5 deny icmp any any fragments 10 permit icmp any host 10.1.12.2 fragments 20 permit ospf host 10.1.12.1 host 10.1.12.2 30 permit tcp 10.2.1.0 0.0.0.255 host 10.1.12.2 eq ssh 40 permit tcp 10.2.1.0 0.0.0.255 host 10.1.12.2 eq tacacs 50 permit udp 10.2.1.0 0.0.0.255 host 10.1.12.2 eq snmp 60 permit udp 10.2.1.0 0.0.0.255 host 10.1.12.2 eq ntp 70 deny ipv4 any host 10.1.12.2 log … … … 110 permit ip any any Note: Ensure the statement to deny ICMP fragments is before any permit statements for ICMP. If the router is not configured to drop all fragmented ICMP packets destined to itself, this is a finding.
Fix Text
Configure the external and internal ACLs to drop all fragmented ICMP packets destined to itself as shown in the example below. RP/0/0/CPU0:R3(config)#ipv4 access-list EXTERNAL_ACL_INBOUND RP/0/0/CPU0:R2(config-ipv4-acl)#25 deny icmp any host x.11.1.2 fragments log RP/0/0/CPU0:R3(config)#ipv4 access-list INTERNAL_ACL_INBOUND RP/0/0/CPU0:R2(config-ipv4-acl)#5 deny icmp any host 10.1.12.2 fragments log Note: Ensure the above statement is before any permit statements for ICMP.
Additional Identifiers
Rule ID: SV-216744r531087_rule
Vulnerability ID: V-216744
Group Title: SRG-NET-000205-RTR-000002
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001097 |
The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system. |
Controls
Number | Title |
---|---|
SC-7 |
Boundary Protection |