Rule ID
SV-221081r999690_rule
Version
V3R4
CCIs
CCI-001097
Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.
Review the external and internal ACLs to verify that the switch is configured drop all fragmented ICMP packets destined to itself. ip access-list EXTERNAL_ACL 10 permit tcp x.11.1.1/32 eq bgp x.11.1.2/32 20 permit tcp x.11.1.1/32 x.11.1.2/32 eq bgp 30 deny icmp any x.11.1.2/32 fragments log 40 permit icmp x.11.1.1/32 x.11.1.2/32 echo … … … 90 deny ip any any log ip access-list INTERNAL_ACL 10 deny icmp any host 10.1.12.2/32 fragments 20 permit icmp any any Note: Ensure the statement to deny ICMP fragments is before any permit statements for ICMP. If the switch is not configured to drop all fragmented ICMP packets destined to itself, this is a finding.
Configure the external and internal ACLs to drop all fragmented ICMP packets destined to itself as shown in the example below: SW1(config)# ip access-list EXTERNAL_ACL SW1(config-acl)# 35 deny icmp any host x.11.1.2 fragments log SW1(config-acl)# exit SW1(config)# ip access-list INTERNAL_ACL SW1(config-acl)# 25 deny icmp any host 10.1.12.2 fragments log SW1(config-acl)# end Note: Ensure the above statement is before any permit statements for ICMP.