The RUCKUS ICX router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-273606 | SRG-NET-000205-RTR-000002 | RCKS-RTR-000390 | SV-273606r1110918_rule | 2025-06-03 | 1 |
Description
Fragmented ICMP packets can be generated by hackers for denial-of-service (DoS) attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.
ℹ️ Check
Verify router management interfaces are configured to drop fragmented packets.
Interface ethernet 1/1/1
ip access-group EXT_ACL in logging enable
ip access-group frag deny
If the router is not configured with a receive-path filter to drop all fragmented ICMP packets, this is a finding.
Note: If the platform does not support the receive path filter, verify that all layer 3 interfaces have an ingress ACL to control what packets are allowed to be destined to the router for processing.
✔️ Fix
Configure inbound ACLs to block fragmented packets destined to itself.
ICX(config)#interface ethernet 1/1/1
ICX(config-if-e1000-1/1/1)#ip access-group EXT-ACL in logging enable
ICX(config-if-e1000-1/1/1)#ip access-group frag deny