The Cisco router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-216744	CISC-RT-000140	SV-216744r531087_rule		Medium

Description
Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.

STIG	Date
Cisco IOS XR Router RTR Security Technical Implementation Guide	2020-09-23

Details

Check Text ( C-17976r288621_chk )
Review the external and internal ACLs to verify that the router is configured to drop all fragmented ICMP packets destined to itself. ipv4 access-list EXTERNAL_ACL_INBOUND 10 permit tcp host x.11.1.1 eq bgp host x.11.1.2 20 permit tcp host x.11.1.1 host x.11.1.2 eq bgp 25 deny icmp any host x.11.1.2 fragments log 30 permit icmp host x.11.1.1 host x.11.1.2 echo 40 permit icmp host x.11.1.1 host x.11.1.2 echo-reply 50 deny ipv4 any host x.11.1.1 log 60 permit tcp any any established … … … 140 deny ipv4 any any log ! ipv4 access-list INTERNAL_ACL_INBOUND 5 deny icmp any any fragments 10 permit icmp any host 10.1.12.2 fragments 20 permit ospf host 10.1.12.1 host 10.1.12.2 30 permit tcp 10.2.1.0 0.0.0.255 host 10.1.12.2 eq ssh 40 permit tcp 10.2.1.0 0.0.0.255 host 10.1.12.2 eq tacacs 50 permit udp 10.2.1.0 0.0.0.255 host 10.1.12.2 eq snmp 60 permit udp 10.2.1.0 0.0.0.255 host 10.1.12.2 eq ntp 70 deny ipv4 any host 10.1.12.2 log … … … 110 permit ip any any Note: Ensure the statement to deny ICMP fragments is before any permit statements for ICMP. If the router is not configured to drop all fragmented ICMP packets destined to itself, this is a finding.

Check Text ( C-17976r288621_chk )

Review the external and internal ACLs to verify that the router is configured to drop all fragmented ICMP packets destined to itself.

ipv4 access-list EXTERNAL_ACL_INBOUND
10 permit tcp host x.11.1.1 eq bgp host x.11.1.2
20 permit tcp host x.11.1.1 host x.11.1.2 eq bgp
25 deny icmp any host x.11.1.2 fragments log
30 permit icmp host x.11.1.1 host x.11.1.2 echo
40 permit icmp host x.11.1.1 host x.11.1.2 echo-reply
50 deny ipv4 any host x.11.1.1 log
60 permit tcp any any established
…
…
…
140 deny ipv4 any any log
!
ipv4 access-list INTERNAL_ACL_INBOUND
5 deny icmp any any fragments
10 permit icmp any host 10.1.12.2 fragments
20 permit ospf host 10.1.12.1 host 10.1.12.2
30 permit tcp 10.2.1.0 0.0.0.255 host 10.1.12.2 eq ssh
40 permit tcp 10.2.1.0 0.0.0.255 host 10.1.12.2 eq tacacs
50 permit udp 10.2.1.0 0.0.0.255 host 10.1.12.2 eq snmp
60 permit udp 10.2.1.0 0.0.0.255 host 10.1.12.2 eq ntp
70 deny ipv4 any host 10.1.12.2 log
…
…
…
110 permit ip any any

Note: Ensure the statement to deny ICMP fragments is before any permit statements for ICMP.

If the router is not configured to drop all fragmented ICMP packets destined to itself, this is a finding.

Fix Text (F-17974r288622_fix)
Configure the external and internal ACLs to drop all fragmented ICMP packets destined to itself as shown in the example below. RP/0/0/CPU0:R3(config)#ipv4 access-list EXTERNAL_ACL_INBOUND RP/0/0/CPU0:R2(config-ipv4-acl)#25 deny icmp any host x.11.1.2 fragments log RP/0/0/CPU0:R3(config)#ipv4 access-list INTERNAL_ACL_INBOUND RP/0/0/CPU0:R2(config-ipv4-acl)#5 deny icmp any host 10.1.12.2 fragments log Note: Ensure the above statement is before any permit statements for ICMP.

Fix Text (F-17974r288622_fix)

Configure the external and internal ACLs to drop all fragmented ICMP packets destined to itself as shown in the example below.

RP/0/0/CPU0:R3(config)#ipv4 access-list EXTERNAL_ACL_INBOUND
RP/0/0/CPU0:R2(config-ipv4-acl)#25 deny icmp any host x.11.1.2 fragments log

RP/0/0/CPU0:R3(config)#ipv4 access-list INTERNAL_ACL_INBOUND
RP/0/0/CPU0:R2(config-ipv4-acl)#5 deny icmp any host 10.1.12.2 fragments log
Note: Ensure the above statement is before any permit statements for ICMP.