UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Cisco switch must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.


Overview

Finding ID Version Rule ID IA Controls Severity
V-101711 CISC-RT-000140 SV-110815r1_rule Medium
Description
Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.
STIG Date
Cisco IOS-XE Switch RTR Security Technical Implementation Guide 2020-05-20

Details

Check Text ( C-100599r1_chk )
Review the external and internal ACLs to verify that the switch is configured drop all fragmented ICMP packets destined to itself.

ip access-list extended EXTERNAL_ACL
permit tcp host x.11.1.1 eq bgp host x.11.1.2
permit tcp host x.11.1.1 host x.11.1.2 eq bgp
deny icmp any host x.11.1.2 fragments
permit icmp host x.11.1.1 host x.11.1.2 echo


deny ip any any
!
ip access-list extended INTERNAL_ACL
deny icmp any host 10.1.12.2 fragments
permit icmp any any

Note: Ensure the statement to deny ICMP fragments is before any permit statements for ICMP.

If the switch is not configured to drop all fragmented ICMP packets destined to itself, this is a finding.
Fix Text (F-107395r1_fix)
Configure the external and internal ACLs to drop all fragmented ICMP packets destined to itself as shown in the example below:

SW1(config)#ip access-list extended EXTERNAL_ACL
SW1(config-ext-nacl)#deny icmp any host x.11.1.2 fragments

SW1(config)#ip access-list extended INTERNAL_ACL
SW1(config-ext-nacl)#deny icmp any host 10.1.12.2 fragments

Note: Ensure the above statement is before any permit statements for ICMP.