The RUCKUS ICX router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-273606 | RCKS-RTR-000390 | SV-273606r1110918_rule | CCI-001097 | medium |
| Description | ||||
| Fragmented ICMP packets can be generated by hackers for denial-of-service (DoS) attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped. | ||||
| STIG | Date | |||
| RUCKUS ICX Router Security Technical Implementation Guide | 2025-06-03 | |||
Details
Check Text (C-273606r1110918_chk)
Verify router management interfaces are configured to drop fragmented packets.
Interface ethernet 1/1/1
ip access-group EXT_ACL in logging enable
ip access-group frag deny
If the router is not configured with a receive-path filter to drop all fragmented ICMP packets, this is a finding.
Note: If the platform does not support the receive path filter, verify that all layer 3 interfaces have an ingress ACL to control what packets are allowed to be destined to the router for processing.
Fix Text (F-77602r1109839_fix)
Configure inbound ACLs to block fragmented packets destined to itself.
ICX(config)#interface ethernet 1/1/1
ICX(config-if-e1000-1/1/1)#ip access-group EXT-ACL in logging enable
ICX(config-if-e1000-1/1/1)#ip access-group frag deny