3.2.1 Ensure source routed packets are not accepted - 'net.ipv4.conf.all.accept_source_route' (sysctl.conf/sysctl.d)

Information

In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used. Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing.

Solution

Set the following parameters in the /etc/sysctl.conf file: net.ipv4.conf.all.accept_source_route = 0net.ipv4.conf.default.accept_source_route = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0# sysctl -w net.ipv4.conf.default.accept_source_route=0# sysctl -w net.ipv4.route.flush=1

See Also

https://workbench.cisecurity.org/files/1866

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv6|11

Plugin: Unix

Control ID: 1fb6beed77e529413f2805cd68fdaea9b48ac5068a63ab60869581ae803a2683