The RUCKUS ICX router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-273606 | RCKS-RTR-000390 | SV-273606r1110918_rule | CCI-001097 | medium |
| Description | ||||
| Fragmented ICMP packets can be generated by hackers for denial-of-service (DoS) attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped. | ||||
| STIG | Date | |||
| RUCKUS ICX Router Security Technical Implementation Guide | 2025-06-03 | |||
Related Frameworks
5 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
SC-7
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1713 mappings
3.13.1
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.13.2
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.13.5
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-001097
1.00
- DISA · V1R1 · disa_xccdf · related
Details
Check Text (C-273606r1110918_chk)
Verify router management interfaces are configured to drop fragmented packets.
Interface ethernet 1/1/1
ip access-group EXT_ACL in logging enable
ip access-group frag deny
If the router is not configured with a receive-path filter to drop all fragmented ICMP packets, this is a finding.
Note: If the platform does not support the receive path filter, verify that all layer 3 interfaces have an ingress ACL to control what packets are allowed to be destined to the router for processing.
Fix Text (F-77602r1109839_fix)
Configure inbound ACLs to block fragmented packets destined to itself.
ICX(config)#interface ethernet 1/1/1
ICX(config-if-e1000-1/1/1)#ip access-group EXT-ACL in logging enable
ICX(config-if-e1000-1/1/1)#ip access-group frag deny