Detections
Analytics

CISC-RT-000170 - The Cisco router must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces - DODIN Backbone

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Host unreachable ICMP messages are commonly used by attackers for network mapping and diagnosis.

Solution

Step 1: Disable ip unreachables on all external interfaces.

R4(config)#int g0/1
R4(config-if)#no ip unreachables

Step 2: Disable ip unreachables on the Null0 interface if it is used to backhole packets.

R4(config-if)#int null 0
R4(config-if)#no ip unreachables

Alternative - DODIN Backbone:

Configure the PE router to rate limit ICMP unreachable messages as shown in the example below:

R4(config)#ip icmp rate-limit unreachable df 100
R4(config)#ip icmp rate-limit unreachable 100000
R4(config)#end

Alternative - Non DODIN Backbone.

An alternative for non-backbone networks (i.e. enclave, base, camp, etc.) is to filter messages generated by the router and silently drop ICMP Administratively Prohibited and Host Unreachable messages using the following configuration steps:

Step 1: Configure ACL to include ICMP Type 3 Code 1 (Host Unreachable) and Code 13 (Administratively Prohibited) as shown in the example below:

R2(config)#ip access-list ext ICMP_T3C1C13
R2(config-ext-nacl)#permit icmp any any host-unreachable
R2(config-ext-nacl)#permit icmp any any administratively-prohibited
R2(config-ext-nacl)#exit

Step 2: Create a route map to forward these ICMP messages to the Null0 interface.

R2(config)#route-map LOCAL_POLICY
R2(config-route-map)#match ip address ICMP_T3C1C13
R2(config-route-map)#set interface Null0
R2(config-route-map)#exit

Step 3: Configure no ip unreachables on the Null0 interface.

R2(config)#int null 0
R2(config-if)#no ip unreachables
R2(config-if)#exit

Step 4: Apply the policy to filter messages generated by the router.

R2(config)#ip local policy route-map LOCAL_POLICY
R2(config)#end

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS_Router_Y22M07_STIG.zip

Item Details

References: CAT|II, CCI|CCI-002385, Rule-ID|SV-216565r531085_rule, STIG-ID|CISC-RT-000170, STIG-Legacy|SV-105669, STIG-Legacy|V-96531, Vuln-ID|V-216565

Plugin: Cisco

Control ID: 9cdba41b2211e92eb02b6925a1b60ee4f13dc8abe4b54bd708f979cf791b2704