7.2.2 Disable ICMP Redirect Acceptance - 'net.ipv4.conf.default.accept_redirects = 0'

Information

ICMP redirect messages are packets that convey routing information and tell your host
(acting as a router) to send packets via an alternate path. It is a way of allowing an outside
routing device to update your system routing tables. By setting
net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect
messages, and therefore, won't allow outsiders to update the system's routing tables.

*Rationale*

Attackers could use bogus ICMP redirect messages to maliciously alter the system routing
tables and get them to send packets to incorrect networks and allow your system packets
to be captured.

Solution

Set the net.ipv4.conf.all.accept_redirects and net.ipv4.conf.default.accept_redirects
parameters to 0 in /etc/sysctl.conf-
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0

Modify active kernel parameters to match-# /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0
# /sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0
# /sbin/sysctl -w net.ipv4.route.flush=1

See Also

https://workbench.cisecurity.org/files/91

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv6|9.2

Plugin: Unix

Control ID: 6f1e3c49b6cbd20909a7da9d599d74d00e4b45c64e189e06d93c6a73b9374b72