UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Cisco router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.


Overview

Finding ID Version Rule ID IA Controls Severity
V-96525 CISC-RT-000140 SV-105663r1_rule Medium
Description
Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.
STIG Date
Cisco IOS Router RTR Security Technical Implementation Guide 2019-07-25

Details

Check Text ( C-95361r1_chk )
Review the external and internal ACLs to verify that the router is configured drop all fragmented destined to itself.

ip access-list extended EXTERNAL_ACL
permit tcp host x.11.1.1 eq bgp host x.11.1.2
permit tcp host x.11.1.1 host x.11.1.2 eq bgp
deny icmp any host x.11.1.2 fragments
permit icmp host x.11.1.1 host x.11.1.2 echo


deny ip any any
!
ip access-list extended INTERNAL_ACL
deny icmp any host 10.1.12.2 fragments
permit icmp any any

Note: Ensure the statement to deny ICMP fragments is before any permit statements for ICMP.

If the router is not configured to drop all fragmented ICMP packets destined to itself, this is a finding.
Fix Text (F-102201r1_fix)
Configure the external and internal ACLs to drop all fragmented ICMP packets destined to itself as shown in the example below.

R1(config)#ip access-list extended EXTERNAL_ACL
R1(config-ext-nacl)#deny icmp any host x.11.1.2 fragments

R1(config)#ip access-list extended INTERNAL_ACL
R1(config-ext-nacl)#deny icmp any host 10.1.12.2 fragments

Note: Ensure the above statement is before any permit statements for ICMP.