CISC-RT-000170 - The Cisco router must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces - DODIN Backbone


The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Host unreachable ICMP messages are commonly used by attackers for network mapping and diagnosis.


Step 1: Disable ip unreachables on all external interfaces.

R4(config)#int g0/1
R4(config-if)#no ip unreachables

Step 2: Disable ip unreachables on the Null0 interface if it is used to backhole packets.

R4(config-if)#int null 0
R4(config-if)#no ip unreachables

Alternative - DODIN Backbone:

Configure the PE router to rate limit ICMP unreachable messages as shown in the example below:

R4(config)#ip icmp rate-limit unreachable df 100
R4(config)#ip icmp rate-limit unreachable 100000

Alternative - Non DODIN Backbone.

An alternative for non-backbone networks (i.e. enclave, base, camp, etc.) is to filter messages generated by the router and silently drop ICMP Administratively Prohibited and Host Unreachable messages using the following configuration steps:

Step 1: Configure ACL to include ICMP Type 3 Code 1 (Host Unreachable) and Code 13 (Administratively Prohibited) as shown in the example below:

R2(config)#ip access-list ext ICMP_T3C1C13
R2(config-ext-nacl)#permit icmp any any host-unreachable
R2(config-ext-nacl)#permit icmp any any administratively-prohibited

Step 2: Create a route map to forward these ICMP messages to the Null0 interface.

R2(config)#route-map LOCAL_POLICY
R2(config-route-map)#match ip address ICMP_T3C1C13
R2(config-route-map)#set interface Null0

Step 3: Configure no ip unreachables on the Null0 interface.

R2(config)#int null 0
R2(config-if)#no ip unreachables

Step 4: Apply the policy to filter messages generated by the router.

R2(config)#ip local policy route-map LOCAL_POLICY

See Also

Item Details


References: 800-53|SC-5, CAT|II, CCI|CCI-002385, Rule-ID|SV-216565r531085_rule, STIG-ID|CISC-RT-000170, STIG-Legacy|SV-105669, STIG-Legacy|V-96531, Vuln-ID|V-216565

Plugin: Cisco

Control ID: 9cdba41b2211e92eb02b6925a1b60ee4f13dc8abe4b54bd708f979cf791b2704