The Arista router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-256017 | SRG-NET-000205-RTR-000002 | ARST-RT-000350 | SV-256017r882393_rule | 2025-02-20 | 2 |
| Description |
|---|
| Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped. |
| ℹ️ Check |
|---|
| Review the access control list (ACL) or filter for the Arista router receive path. Verify it will drop all fragmented ICMP packets destined to itself. Step 1: To verify the ACL is configured to filter the fragmented ICMP packets destined to itself, execute the command "sh ip access-list". ip access-list ICMP_FRAGMENTS 10 deny ip any any fragments 20 permit ip any any Step 2: To verify the ACL is applied to the external interfaces, execute the command "sh run int Eth YY". interface ethernet 5 ip access-group ICMP_FRAGMENTS in If the Arista router is not configured with a receive-path filter to drop all fragmented ICMP packets, this is a finding. Note: If the platform does not support the receive path filter, verify all layer 3 interfaces have an ingress ACL to control what packets are allowed to be destined to the router for processing. |
| ✔️ Fix |
|---|
| Ensure all Arista routers have their receive path filter configured to drop all fragmented ICMP packets. Step 1: Configure the ACL to filter the fragmented ICMP packets destined to itself. LEAF-1A(config)#ip access-list ICMP_FRAGMENTS LEAF-1A(config-acl-ICMP_FRAGMENTS)# 10 deny ip any any fragments LEAF-1A(config-acl-ICMP_FRAGMENTS)# 20 permit ip any any LEAF-1A(config-acl-ICMP_FRAGMENTS)# exit Step 2: Apply the ACL to the external interfaces. LEAF-1A(config)#interface ethernet 5 LEAF-1A(config-if-Et5)# ip access-group ICMP_FRAGMENTS in |