The Cisco switch must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-220430 | CISC-RT-000140 | SV-220430r622190_rule | Medium |
| Description |
|---|
| Fragmented ICMP packets can be generated by hackers for denial-of-service (DoS) attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped. |
| STIG | Date |
|---|---|
| Cisco IOS Switch RTR Security Technical Implementation Guide | 2022-09-14 |
Details
| Check Text ( C-22145r508375_chk ) |
|---|
| Review the external and internal access control lists (ACLs) to verify that the switch is configured drop all fragmented ICMP packets destined to itself. ip access-list extended EXTERNAL_ACL deny icmp any host x.11.1.2 fragments permit icmp host x.11.1.1 host x.11.1.2 echo … … deny ip any any ! ip access-list extended INTERNAL_ACL deny icmp any host 10.1.12.2 fragments permit icmp any any Note: Ensure the statement to deny ICMP fragments is before any permit statements for ICMP. If the switch is not configured to drop all fragmented ICMP packets destined to itself, this is a finding. |
| Fix Text (F-22134r508376_fix) |
|---|
| Configure the external and internal ACLs to drop all fragmented ICMP packets destined to itself as shown in the example below: SW1(config)#ip access-list extended EXTERNAL_ACL SW1(config-ext-nacl)#deny icmp any host x.11.1.2 fragments SW1(config)#ip access-list extended INTERNAL_ACL SW1(config-ext-nacl)#deny icmp any host 10.1.12.2 fragments Note: Ensure the above statement is before any permit statements for ICMP. |