The RUCKUS ICX router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-273606	SRG-NET-000205-RTR-000002	RCKS-RTR-000390	SV-273606r1110918_rule	2025-06-03	1

Description
Fragmented ICMP packets can be generated by hackers for denial-of-service (DoS) attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.

ℹ️ Check
Verify router management interfaces are configured to drop fragmented packets. Interface ethernet 1/1/1 ip access-group EXT_ACL in logging enable ip access-group frag deny If the router is not configured with a receive-path filter to drop all fragmented ICMP packets, this is a finding. Note: If the platform does not support the receive path filter, verify that all layer 3 interfaces have an ingress ACL to control what packets are allowed to be destined to the router for processing.

ℹ️ Check

Verify router management interfaces are configured to drop fragmented packets. Interface ethernet 1/1/1 ip access-group EXT_ACL in logging enable ip access-group frag deny If the router is not configured with a receive-path filter to drop all fragmented ICMP packets, this is a finding. Note: If the platform does not support the receive path filter, verify that all layer 3 interfaces have an ingress ACL to control what packets are allowed to be destined to the router for processing.

✔️ Fix
Configure inbound ACLs to block fragmented packets destined to itself. ICX(config)#interface ethernet 1/1/1 ICX(config-if-e1000-1/1/1)#ip access-group EXT-ACL in logging enable ICX(config-if-e1000-1/1/1)#ip access-group frag deny