Hackers send large stream of packets with IP options (for IPv4 packets) to bog down the server with increased packet processing load. This results in a Denial of Service (DoS) attack on the server where the server is occupied with other activities that prevents it from providing services to its clients.
The general mitigation to reduce the impact of the DoS attack is to drop packets that have IP Options configured. This reduces the load on the router and reduces the impact of this attack on the downstream routers. By default, all IPv4 packets with IP options are processed. This feature must be enabled explicitly to implement this mitigation.
Packets that are to be processed by the device's Control Plane Processing Unit (CPU) are also dropped by default. However, this configuration of explicitly dropping packets where the destination is the device CPU cannot be set when the dropping of packets that have IP Options is set. These two configurations are mutually exclusive of each other. For example, if you have configured the disable option, you cannot configure the disable-cpu option without removing the previous configuration.