# 3.2.5 Ensure broadcast ICMP requests are ignored
#
# Description
# ===========
# Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the
# system to ignore all ICMP echo and timestamp requests to broadcast
# and multicast addresses.
#
# Rationale
# =========
# Accepting ICMP echo and timestamp requests with broadcast or multicast
# destinations for your network could be used to trick your host into starting
# (or participating) in a Smurf attack. A Smurf attack relies on an attacker
# sending large amounts of ICMP broadcast messages with a spoofed source
# address. All hosts receiving this message and responding would send
# echo-reply messages back to the spoofed address, which is probably not
# routable. If many hosts respond to the packets, the amount of traffic on
# the network could be significantly multiplied.
#
# Audit
# =====
#
# Run the following commands and verify output matches:
#
#   # sysctl net.ipv4.icmp_echo_ignore_broadcasts
#   net.ipv4.icmp_echo_ignore_broadcasts = 1
#
# Remediation
# ===========
#
# Set the following parameter in the /etc/sysctl.conf file:
#
#   net.ipv4.icmp_echo_ignore_broadcasts = 1
#
# Run the following commands to set the active kernel parameters:
#
#   # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
#   # sysctl -w net.ipv4.route.flush=1

parameters:
  linux:
    system:
      kernel:
        sysctl:
          net.ipv4.icmp_echo_ignore_broadcasts: 1