The Arista router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-256017 | ARST-RT-000350 | SV-256017r882393_rule | CCI-001097 | medium |
| Description | ||||
| Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped. | ||||
| STIG | Date | |||
| Arista MLS EOS 4.X Router Security Technical Implementation Guide | 2025-02-20 | |||
Details
Check Text (C-256017r882393_chk)
Review the access control list (ACL) or filter for the Arista router receive path.
Verify it will drop all fragmented ICMP packets destined to itself.
Step 1: To verify the ACL is configured to filter the fragmented ICMP packets destined to itself, execute the command "sh ip access-list".
ip access-list ICMP_FRAGMENTS
10 deny ip any any fragments
20 permit ip any any
Step 2: To verify the ACL is applied to the external interfaces, execute the command "sh run int Eth YY".
interface ethernet 5
ip access-group ICMP_FRAGMENTS in
If the Arista router is not configured with a receive-path filter to drop all fragmented ICMP packets, this is a finding.
Note: If the platform does not support the receive path filter, verify all layer 3 interfaces have an ingress ACL to control what packets are allowed to be destined to the router for processing.
Fix Text (F-59636r882392_fix)
Ensure all Arista routers have their receive path filter configured to drop all fragmented ICMP packets.
Step 1: Configure the ACL to filter the fragmented ICMP packets destined to itself.
LEAF-1A(config)#ip access-list ICMP_FRAGMENTS
LEAF-1A(config-acl-ICMP_FRAGMENTS)# 10 deny ip any any fragments
LEAF-1A(config-acl-ICMP_FRAGMENTS)# 20 permit ip any any
LEAF-1A(config-acl-ICMP_FRAGMENTS)# exit
Step 2: Apply the ACL to the external interfaces.
LEAF-1A(config)#interface ethernet 5
LEAF-1A(config-if-Et5)# ip access-group ICMP_FRAGMENTS in