Rule ID
SV-269873r1052004_rule
Version
V1R2
CCIs
CCI-001097
Fragmented ICMP packets can be generated by hackers for denial-of-service (DoS) attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.
Review the access control list (ACL) for the control plane receive path. Verify that it will drop all fragmented ICMP packets destined to itself. Step 1: Review the router configuration to verify that an ACL is configured that drops fragmented ICMP packets. ! ip access-list FILTER_FRAGMENTED_ICMP seq 10 deny icmp any any log fragment ... seq 20 permit ip any any Step 2: Examine the configuration to verify the ACL above is applied to packets destined to the control plane. ! control-plane ip access-group FILTER_FRAGMENTED_ICMP data in Note: As shown above, OS10 can filter fragmented packets that arrive on the front panel data ports. OS10 does not support filtering fragmented packets arriving on the OOBM management ethernet interface. If the router is not configured with a receive-path filter to drop all fragmented ICMP packets, this is a finding.
Ensure all routers have their receive path filter configured to drop all fragmented ICMP packets. Step 1: Configure a control-plane ACL that drops fragmented ICMP packets. OS10(config)# ip access-list FILTER_FRAGMENTED_ICMP OS10(config-ipv4-acl)# seq 10 deny icmp any any log fragment OS10(config-ipv4-acl)# seq 20 permit ip any any Step 2: Apply the ACL above to the control-plane. OS10(config)# control-plane OS10(config-control-plane)# ip access-group FILTER_FRAGMENTED_ICMP data in