The Arista router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-256017	ARST-RT-000350	SV-256017r882393_rule		Medium

Description
Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.

STIG	Date
Arista MLS EOS 4.2x Router Security Technical Implementation Guide	2023-01-17

Details

Check Text ( C-59693r882391_chk )
Review the access control list (ACL) or filter for the Arista router receive path. Verify it will drop all fragmented ICMP packets destined to itself. Step 1: To verify the ACL is configured to filter the fragmented ICMP packets destined to itself, execute the command "sh ip access-list". ip access-list ICMP_FRAGMENTS 10 deny ip any any fragments 20 permit ip any any Step 2: To verify the ACL is applied to the external interfaces, execute the command "sh run int Eth YY". interface ethernet 5 ip access-group ICMP_FRAGMENTS in If the Arista router is not configured with a receive-path filter to drop all fragmented ICMP packets, this is a finding. Note: If the platform does not support the receive path filter, verify all layer 3 interfaces have an ingress ACL to control what packets are allowed to be destined to the router for processing.

Check Text ( C-59693r882391_chk )

Review the access control list (ACL) or filter for the Arista router receive path.

Verify it will drop all fragmented ICMP packets destined to itself.

Step 1: To verify the ACL is configured to filter the fragmented ICMP packets destined to itself, execute the command "sh ip access-list".

ip access-list ICMP_FRAGMENTS
10 deny ip any any fragments
20 permit ip any any

Step 2: To verify the ACL is applied to the external interfaces, execute the command "sh run int Eth YY".

interface ethernet 5
ip access-group ICMP_FRAGMENTS in

If the Arista router is not configured with a receive-path filter to drop all fragmented ICMP packets, this is a finding.

Note: If the platform does not support the receive path filter, verify all layer 3 interfaces have an ingress ACL to control what packets are allowed to be destined to the router for processing.

Fix Text (F-59636r882392_fix)
Ensure all Arista routers have their receive path filter configured to drop all fragmented ICMP packets. Step 1: Configure the ACL to filter the fragmented ICMP packets destined to itself. LEAF-1A(config)#ip access-list ICMP_FRAGMENTS LEAF-1A(config-acl-ICMP_FRAGMENTS)# 10 deny ip any any fragments LEAF-1A(config-acl-ICMP_FRAGMENTS)# 20 permit ip any any LEAF-1A(config-acl-ICMP_FRAGMENTS)# exit Step 2: Apply the ACL to the external interfaces. LEAF-1A(config)#interface ethernet 5 LEAF-1A(config-if-Et5)# ip access-group ICMP_FRAGMENTS in

Fix Text (F-59636r882392_fix)

Ensure all Arista routers have their receive path filter configured to drop all fragmented ICMP packets.

Step 1: Configure the ACL to filter the fragmented ICMP packets destined to itself.

LEAF-1A(config)#ip access-list ICMP_FRAGMENTS
LEAF-1A(config-acl-ICMP_FRAGMENTS)# 10 deny ip any any fragments
LEAF-1A(config-acl-ICMP_FRAGMENTS)# 20 permit ip any any
LEAF-1A(config-acl-ICMP_FRAGMENTS)# exit

Step 2: Apply the ACL to the external interfaces.

LEAF-1A(config)#interface ethernet 5
LEAF-1A(config-if-Et5)# ip access-group ICMP_FRAGMENTS in