STIGQter STIGQter: STIG Summary: Cisco IOS Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco router must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces.

DISA Rule

SV-216565r531085_rule

Vulnerability Number

V-216565

Group Title

SRG-NET-000362-RTR-000113

Rule Version

CISC-RT-000170

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Step 1: Disable ip unreachables on all external interfaces.

R4(config)#int g0/1
R4(config-if)#no ip unreachables

Step 2: Disable ip unreachables on the Null0 interface if it is used to backhole packets.

R4(config-if)#int null 0
R4(config-if)#no ip unreachables

Alternative – DODIN Backbone:

Configure the PE router to rate limit ICMP unreachable messages as shown in the example below:

R4(config)#ip icmp rate-limit unreachable df 100
R4(config)#ip icmp rate-limit unreachable 100000
R4(config)#end

Alternative – Non DODIN Backbone.

An alternative for non-backbone networks (i.e. enclave, base, camp, etc.) is to filter messages generated by the router and silently drop ICMP Administratively Prohibited and Host Unreachable messages using the following configuration steps:

Step 1: Configure ACL to include ICMP Type 3 Code 1 (Host Unreachable) and Code 13 (Administratively Prohibited) as shown in the example below:

R2(config)#ip access-list ext ICMP_T3C1C13
R2(config-ext-nacl)#permit icmp any any host-unreachable
R2(config-ext-nacl)#permit icmp any any administratively-prohibited
R2(config-ext-nacl)#exit

Step 2: Create a route map to forward these ICMP messages to the Null0 interface.

R2(config)#route-map LOCAL_POLICY
R2(config-route-map)#match ip address ICMP_T3C1C13
R2(config-route-map)#set interface Null0
R2(config-route-map)#exit

Step 3: Configure no ip unreachables on the Null0 interface.

R2(config)#int null 0
R2(config-if)#no ip unreachables
R2(config-if)#exit

Step 4: Apply the policy to filter messages generated by the router.

R2(config)#ip local policy route-map LOCAL_POLICY
R2(config)#end

Check Contents

Review the configuration to verify the no ip unreachables command has been configured on all external interfaces as shown in the configuration example below.

interface GigabitEthernet0/1
ip address x.x.x.x 255.255.255.0
no ip unreachables

If ICMP unreachable notifications are sent from any external or null0 interface, this is a finding.

Alternative – DODIN Backbone

Verify that the PE router is configured to rate limit ICMP unreachable messages as shown in the example below.

ip icmp rate-limit unreachable 60000
ip icmp rate-limit unreachable DF 1000

Note: In the example above, packet-too-big message (ICMP Type 3 Code 4) can be sent once every second, while all other destination unreachable messages can be sent once every minute. This will avoid disrupting Path MTU Discovery for traffic traversing the backbone while mitigating the risk of an ICMP unreachable DoS attack.

If the PE router is not configured to rate limit ICMP unreachable messages, this is a finding.

Vulnerability Number

V-216565

Documentable

False

Rule Version

CISC-RT-000170

Severity Override Guidance

Review the configuration to verify the no ip unreachables command has been configured on all external interfaces as shown in the configuration example below.

interface GigabitEthernet0/1
ip address x.x.x.x 255.255.255.0
no ip unreachables

If ICMP unreachable notifications are sent from any external or null0 interface, this is a finding.

Alternative – DODIN Backbone

Verify that the PE router is configured to rate limit ICMP unreachable messages as shown in the example below.

ip icmp rate-limit unreachable 60000
ip icmp rate-limit unreachable DF 1000

Note: In the example above, packet-too-big message (ICMP Type 3 Code 4) can be sent once every second, while all other destination unreachable messages can be sent once every minute. This will avoid disrupting Path MTU Discovery for traffic traversing the backbone while mitigating the risk of an ICMP unreachable DoS attack.

If the PE router is not configured to rate limit ICMP unreachable messages, this is a finding.

Check Content Reference

M

Target Key

4027

Comments