The Cisco switch must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-221081 | CISC-RT-000140 | SV-221081r999690_rule | CCI-001097 | medium |
| Description | ||||
| Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped. | ||||
| STIG | Date | |||
| Cisco NX OS Switch RTR Security Technical Implementation Guide | 2024-12-20 | |||
Details
Check Text (C-221081r999690_chk)
Review the external and internal ACLs to verify that the switch is configured drop all fragmented ICMP packets destined to itself.
ip access-list EXTERNAL_ACL
10 permit tcp x.11.1.1/32 eq bgp x.11.1.2/32
20 permit tcp x.11.1.1/32 x.11.1.2/32 eq bgp
30 deny icmp any x.11.1.2/32 fragments log
40 permit icmp x.11.1.1/32 x.11.1.2/32 echo
…
…
…
90 deny ip any any log
ip access-list INTERNAL_ACL
10 deny icmp any host 10.1.12.2/32 fragments
20 permit icmp any any
Note: Ensure the statement to deny ICMP fragments is before any permit statements for ICMP.
If the switch is not configured to drop all fragmented ICMP packets destined to itself, this is a finding.
Fix Text (F-22785r409733_fix)
Configure the external and internal ACLs to drop all fragmented ICMP packets destined to itself as shown in the example below:
SW1(config)# ip access-list EXTERNAL_ACL
SW1(config-acl)# 35 deny icmp any host x.11.1.2 fragments log
SW1(config-acl)# exit
SW1(config)# ip access-list INTERNAL_ACL
SW1(config-acl)# 25 deny icmp any host 10.1.12.2 fragments log
SW1(config-acl)# end
Note: Ensure the above statement is before any permit statements for ICMP.