|
- # 3.2.5 Ensure broadcast ICMP requests are ignored
- #
- # Description
- # ===========
- # Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the
- # system to ignore all ICMP echo and timestamp requests to broadcast
- # and multicast addresses.
- #
- # Rationale
- # =========
- # Accepting ICMP echo and timestamp requests with broadcast or multicast
- # destinations for your network could be used to trick your host into starting
- # (or participating) in a Smurf attack. A Smurf attack relies on an attacker
- # sending large amounts of ICMP broadcast messages with a spoofed source
- # address. All hosts receiving this message and responding would send
- # echo-reply messages back to the spoofed address, which is probably not
- # routable. If many hosts respond to the packets, the amount of traffic on
- # the network could be significantly multiplied.
- #
- # Audit
- # =====
- #
- # Run the following commands and verify output matches:
- #
- # # sysctl net.ipv4.icmp_echo_ignore_broadcasts
- # net.ipv4.icmp_echo_ignore_broadcasts = 1
- #
- # Remediation
- # ===========
- #
- # Set the following parameter in the /etc/sysctl.conf file:
- #
- # net.ipv4.icmp_echo_ignore_broadcasts = 1
- #
- # Run the following commands to set the active kernel parameters:
- #
- # # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
- # # sysctl -w net.ipv4.route.flush=1
-
- parameters:
- linux:
- system:
- kernel:
- sysctl:
- net.ipv4.icmp_echo_ignore_broadcasts: 1
|
