The RUCKUS ICX router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-273632 | SRG-NET-000362-RTR-000114 | RCKS-RTR-000650 | SV-273632r1110938_rule | 2025-06-03 | 1 |
| Description |
|---|
| The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Mask Reply ICMP messages are commonly used by attackers for network mapping and diagnosis. |
| ℹ️ Check |
|---|
| Review configuration to determine whether outgoing ICMP mask replies are blocked on external interfaces. enable egress-acl-on-cpu-traffic ip access-list extended BLOCK_ICMP_OUT sequence 10 deny icmp any any unreachable sequence 20 deny icmp any any mask-reply sequence 30 permit ip any any interface ethernet 1/1/1 ip address x.0.1.2 255.255.255.252 ip access-group BLOCK_ICMP_OUT out ! If outgoing ICMP mask replies are not blocked on external interfaces, this is a finding. |
| ✔️ Fix |
|---|
| Configure ACL to block ICMP mask replies. ICX(config)#enable egress-acl-on-cpu-traffic ICX(config)#ip access ext BLOCK_ICMP_OUT ICX(config-ext-ipacl-BLOCK_ICMP_OUT)#deny icmp any any unreachable ICX(config-ext-ipacl-BLOCK_ICMP_OUT)#deny icmp any any mask-reply ICX(config-ext-ipacl-BLOCK_ICMP_OUT)#permit ip any any Apply ACL to external interface. ICX(config)#interface ethernet 1/1/1 ICX(config-if-e1000-1/1/1)#ip access-group BLOCK_ICMP_OUT out |