Detections
Analytics
CISC-RT-000170 - The Cisco router must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces.
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Host unreachable ICMP messages are commonly used by attackers for network mapping and diagnosis.NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Step 1: Disable ip unreachables on all external interfaces.R4(config)#int g0/1
R4(config-if)#no ip unreachables
Step 2: Disable ip unreachables on the Null0 interface if it is used to backhole packets.
R4(config-if)#int null 0
R4(config-if)#no ip unreachables
Alternative - DODIN Backbone:
Configure the PE router to rate limit ICMP unreachable messages as shown in the example below:
R4(config)#ip icmp rate-limit unreachable df 100
R4(config)#ip icmp rate-limit unreachable 100000
R4(config)#end
Alternative - Non DODIN Backbone.
An alternative for non-backbone networks (i.e. enclave, base, camp, etc.) is to filter messages generated by the router and silently drop ICMP Administratively Prohibited and Host Unreachable messages using the following configuration steps:
Step 1: Configure ACL to include ICMP Type 3 Code 1 (Host Unreachable) and Code 13 (Administratively Prohibited) as shown in the example below:
R2(config)#ip access-list ext ICMP_T3C1C13
R2(config-ext-nacl)#permit icmp any any host-unreachable
R2(config-ext-nacl)#permit icmp any any administratively-prohibited
R2(config-ext-nacl)#exit
Step 2: Create a route map to forward these ICMP messages to the Null0 interface.
R2(config)#route-map LOCAL_POLICY
R2(config-route-map)#match ip address ICMP_T3C1C13
R2(config-route-map)#set interface Null0
R2(config-route-map)#exit
Step 3: Configure no ip unreachables on the Null0 interface.
R2(config)#int null 0
R2(config-if)#no ip unreachables
R2(config-if)#exit
Step 4: Apply the policy to filter messages generated by the router.
R2(config)#ip local policy route-map LOCAL_POLICY
R2(config)#end
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS_Router_Y22M07_STIG.zip
Item Details
Audit Name: DISA STIG Cisco IOS Router RTR v2r1
References: CAT|II, CCI|CCI-002385, Rule-ID|SV-216565r531085_rule, STIG-ID|CISC-RT-000170, STIG-Legacy|SV-105669, STIG-Legacy|V-96531, Vuln-ID|V-216565
Plugin: Cisco
Control ID: 9cdba41b2211e92eb02b6925a1b60ee4f13dc8abe4b54bd708f979cf791b2704