The Arista router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-256017 | ARST-RT-000350 | SV-256017r882393_rule | CCI-001097 | medium |
| Description | ||||
| Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped. | ||||
| STIG | Date | |||
| Arista MLS EOS 4.X Router Security Technical Implementation Guide | 2025-02-20 | |||
Related Frameworks
5 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
SC-7
1.00
- DISA · V2R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1713 mappings
3.13.1
1.00
- DISA · V2R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.13.2
1.00
- DISA · V2R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.13.5
1.00
- DISA · V2R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-001097
1.00
- DISA · V2R2 · disa_xccdf · related
Details
Check Text (C-256017r882393_chk)
Review the access control list (ACL) or filter for the Arista router receive path.
Verify it will drop all fragmented ICMP packets destined to itself.
Step 1: To verify the ACL is configured to filter the fragmented ICMP packets destined to itself, execute the command "sh ip access-list".
ip access-list ICMP_FRAGMENTS
10 deny ip any any fragments
20 permit ip any any
Step 2: To verify the ACL is applied to the external interfaces, execute the command "sh run int Eth YY".
interface ethernet 5
ip access-group ICMP_FRAGMENTS in
If the Arista router is not configured with a receive-path filter to drop all fragmented ICMP packets, this is a finding.
Note: If the platform does not support the receive path filter, verify all layer 3 interfaces have an ingress ACL to control what packets are allowed to be destined to the router for processing.
Fix Text (F-59636r882392_fix)
Ensure all Arista routers have their receive path filter configured to drop all fragmented ICMP packets.
Step 1: Configure the ACL to filter the fragmented ICMP packets destined to itself.
LEAF-1A(config)#ip access-list ICMP_FRAGMENTS
LEAF-1A(config-acl-ICMP_FRAGMENTS)# 10 deny ip any any fragments
LEAF-1A(config-acl-ICMP_FRAGMENTS)# 20 permit ip any any
LEAF-1A(config-acl-ICMP_FRAGMENTS)# exit
Step 2: Apply the ACL to the external interfaces.
LEAF-1A(config)#interface ethernet 5
LEAF-1A(config-if-Et5)# ip access-group ICMP_FRAGMENTS in