4.2.2 bcastping

Information

The bcastping parameter determines whether the system responds to ICMP echo packets sent to the broadcast address.

Rationale:

The bcastping parameter will be set to 0. This means that the system will not respond to ICMP packets sent to the broadcast address. By default, when this is enabled the system is susceptible to smurf attacks, where a hacker utilizes this tool to send a small number of ICMP echo packets. These packets can generate huge numbers of ICMP echo replies and seriously affect the performance of the targeted host and network. This parameter will be disabled to ensure protection from this type of attack.

Solution

In /etc/tunables/nextboot, add the bcastping entry:

no -p -o bcastping=0

This makes the change permanent by adding the entry into /etc/tunables/nextboot

Default Value:

1

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Unix

Control ID: 5184238f5a240acf124914cb5d4e6fef693534e244bde1b5066c1e1d1e73d2c6