Details

Fragmented ICMP packets can be generated by hackers for denial-of-service (DoS) attacks such as Ping O’ Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.

Solution

Configure the external and internal ACLs to drop all fragmented ICMP packets destined to itself as shown in the example below:

SW1(config)#ip access-list extended EXTERNAL_ACL
SW1(config-ext-nacl)#deny icmp any host x.11.1.2 fragments

SW1(config)#ip access-list extended INTERNAL_ACL
SW1(config-ext-nacl)#deny icmp any host 10.1.12.2 fragments

Note: Ensure the above statement is before any permit statements for ICMP.

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS_Switch_Y21M07_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Cisco.

References

• 800-53|SC-7a.
• CAT|II
• CCI|CCI-001097
• Rule-ID|SV-220430r622190_rule
• STIG-ID|CISC-RT-000140
• STIG-Legacy|SV-110707
• STIG-Legacy|V-101603
• Vuln-ID|V-220430

Source

• Tenable.com/audits