STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← Back to RUCKUS ICX Router Security Technical Implementation Guide

V-273606

CAT II (Medium)

The RUCKUS ICX router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.

Rule ID

SV-273606r1110918_rule

STIG

RUCKUS ICX Router Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001097

Discussion

Fragmented ICMP packets can be generated by hackers for denial-of-service (DoS) attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.

Check Content

Verify router management interfaces are configured to drop fragmented packets.

Interface ethernet 1/1/1
  ip access-group EXT_ACL in logging enable
  ip access-group frag deny

If the router is not configured with a receive-path filter to drop all fragmented ICMP packets, this is a finding.

Note: If the platform does not support the receive path filter, verify that all layer 3 interfaces have an ingress ACL to control what packets are allowed to be destined to the router for processing.

Fix Text

Configure inbound ACLs to block fragmented packets destined to itself.

ICX(config)#interface ethernet 1/1/1
ICX(config-if-e1000-1/1/1)#ip access-group EXT-ACL in logging enable
ICX(config-if-e1000-1/1/1)#ip access-group frag deny