STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 1 hour ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Router Security Requirements Guide

V-207134

CAT II (Medium)

The router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

Rule ID

SV-207134r604135_rule

STIG

Router Security Requirements Guide

Version

V5R2

CCIs

CCI-001097

Discussion

Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.

Check Content

Review the access control list (ACL) or filter for the router receive path.

Verify that it will drop all fragmented ICMP packets destined to itself.

If the router is not configured with a receive-path filter to drop all fragmented ICMP packets, this is a finding.

Note: If the platform does not support the receive path filter, verify that all Layer 3 interfaces have an ingress ACL to control what packets are allowed to be destined to the router for processing.

Fix Text

Ensure all routers have their receive path filter configured to drop all fragmented ICMP packets.