CISC-RT-000140 - The Cisco router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself - external
Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.
Configure the external and internal ACLs to drop all fragmented ICMP packets destined to itself as shown in the example below. R1(config)#ip access-list extended EXTERNAL_ACL R1(config-ext-nacl)#deny icmp any host x.11.1.2 fragments R1(config)#ip access-list extended INTERNAL_ACL R1(config-ext-nacl)#deny icmp any host 10.1.12.2 fragments Note: Ensure the above statement is before any permit statements for ICMP.