NET0720 - TCP and UDP small server services are not disabled - 'service tcp-small-servers'

Information

Network devices must have TCP and UDP small servers disabled.

Cisco IOS provides the 'small services' that include echo, chargen, and discard. These services, especially their User Datagram Protocol (UDP) versions, are infrequently used for legitimate purposes. However, they have been used to launch denial of service attacks that would otherwise be prevented by packet filtering. For example, an attacker might send a DNS packet, falsifying the source address to be a DNS server that would otherwise be unreachable, and falsifying the source port to be the DNS service port (port 53). If such a packet were sent to the Cisco's UDP echo port, the result would be Cisco sending a DNS packet to the server in question. No outgoing access list checks would be applied to this packet, since it would be considered locally generated by the router itself. The small services are disabled by default in Cisco IOS 12.0 and later software. In earlier software, they may be disabled using the commands no service tcp-small-servers and no service udp-small-servers.

NOTE: The TCP and UDP small servers are enabled by default on Cisco IOS Software Version 11.2 and earlier. They are disabled by default on Cisco IOS Software Versions 11.3 and later.

Solution

Change the device configuration to include the following IOS commands: no service tcp-small-servers and no service udp-small-servers for each device running an IOS version prior to 12.0. This is the default for IOS versions 12.0 and later (i.e., these commands will not appear in the running configuration.)

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_L2_Switch_V8R27_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b., CAT|III, Rule-ID|SV-3078r3_rule, STIG-ID|NET0720, Vuln-ID|V-3078

Plugin: Cisco

Control ID: 923de07f6f58b52e4e2ba52365d45cf9c95f180dfa4549e55dfd29071ed4bb23