The RUCKUS ICX router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-273632 | SRG-NET-000362-RTR-000114 | RCKS-RTR-000650 | SV-273632r1110938_rule | 2025-06-03 | 1 |
Description
The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Mask Reply ICMP messages are commonly used by attackers for network mapping and diagnosis.
ℹ️ Check
Review configuration to determine whether outgoing ICMP mask replies are blocked on external interfaces.
enable egress-acl-on-cpu-traffic
ip access-list extended BLOCK_ICMP_OUT
sequence 10 deny icmp any any unreachable
sequence 20 deny icmp any any mask-reply
sequence 30 permit ip any any
interface ethernet 1/1/1
ip address x.0.1.2 255.255.255.252
ip access-group BLOCK_ICMP_OUT out
!
If outgoing ICMP mask replies are not blocked on external interfaces, this is a finding.
✔️ Fix
Configure ACL to block ICMP mask replies.
ICX(config)#enable egress-acl-on-cpu-traffic
ICX(config)#ip access ext BLOCK_ICMP_OUT
ICX(config-ext-ipacl-BLOCK_ICMP_OUT)#deny icmp any any unreachable
ICX(config-ext-ipacl-BLOCK_ICMP_OUT)#deny icmp any any mask-reply
ICX(config-ext-ipacl-BLOCK_ICMP_OUT)#permit ip any any
Apply ACL to external interface.
ICX(config)#interface ethernet 1/1/1
ICX(config-if-e1000-1/1/1)#ip access-group BLOCK_ICMP_OUT out