STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated just now
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to RUCKUS ICX Router Security Technical Implementation Guide

V-273606

CAT II (Medium)

The RUCKUS ICX router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

Rule ID

SV-273606r1110918_rule

STIG

RUCKUS ICX Router Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001097

Discussion

Fragmented ICMP packets can be generated by hackers for denial-of-service (DoS) attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.

Check Content

Verify router management interfaces are configured to drop fragmented packets.

Interface ethernet 1/1/1
  ip access-group EXT_ACL in logging enable
  ip access-group frag deny

If the router is not configured with a receive-path filter to drop all fragmented ICMP packets, this is a finding.

Note: If the platform does not support the receive path filter, verify that all layer 3 interfaces have an ingress ACL to control what packets are allowed to be destined to the router for processing.

Fix Text

Configure inbound ACLs to block fragmented packets destined to itself.

ICX(config)#interface ethernet 1/1/1
ICX(config-if-e1000-1/1/1)#ip access-group EXT-ACL in logging enable
ICX(config-if-e1000-1/1/1)#ip access-group frag deny