The Cisco ACI must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.
Overview
Finding ID | Version | Rule ID | IA Controls | Severity |
V-272079 | CACI-RT-000019 | SV-272079r1114312_rule | Medium |
Description |
Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped. |
STIG | Date |
Cisco ACI Router Security Technical Implementation Guide | 2025-06-18 |
Details
Check Text (C-76129r1114310_chk) |
If this review is for the DODIN Backbone, mark as not applicable. Review the external and internal ACLs to verify that the router is configured to only allow specific management and control plane traffic from specific sources destined to itself. 1. Navigate Tenant >> Contract >> Filter. 2. Select the "Drop Fragmented ICMP" filter. 3. Verify ICMP and Fragmented are selected to be denied. If all fragmented ICMP packets destined to Cisco ACI IP addresses are not dropped, this is a finding. |
Fix Text (F-76036r1114311_fix) |
Ensure this deny rule is placed before any permit rules for ICMP traffic to ensure fragmented ICMP packets are dropped first. 1. Navigate Tenant >> Contract >> Filter. 2. Create or edit a filter (e.g., "Drop Fragmented ICMP"). 3. Set Match to include: Protocol: ICMP Fragmentation: "Fragmented" 4. Set Action to "Deny". |