Detections
Analytics
ARST-RT-000530 - The Arista router must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.
Information
The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Host unreachable ICMP messages are commonly used by attackers for network mapping and diagnosis.NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Disable ICMP unreachable notifications on all external interfaces.Step 1: The Arista router can be configured to filter out the ICMP Unreachable for (Type 3) code 0 (Network unreachable) IPv4 and IPv6 packets with the following command:
router(config)#ip icmp rate-limit-unreachable 0
router(config)#ipv6 icmp rate-limit-unreachable 0
Step 2: The Arista router can be configured to filter out the ICMP Unreachable for (Type 3) code 1 (Network unreachable) IPv4 and IPv6 packets with the following command:
router(config)#ip access-list BLK-ICMP-Unreachables
10 deny icmp any any host-unreachable
20 permit ip any any
!
Step 3: This would need to be applied on the egress interface (for example as in et1 below):
router(config)#interface ethernet1
no routerport
ip address 32.1.1.12/24
ip access-group BLK-ICMP-Unreachables out
!
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Arista_MLS_EOS_4-X_Y25M07_STIG.zip
Item Details
Audit Name: DISA Arista MLS EOS 4.X Router STIG v2r2
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-5, CAT|II, CCI|CCI-002385, Rule-ID|SV-256032r882438_rule, STIG-ID|ARST-RT-000530, Vuln-ID|V-256032
Plugin: Arista
Control ID: 7a50557fde0cb6a35d26f5646a6ca9400f3403242546d8289d9e11905e76b11b