Profile Applicability:
 • Level 1

Description:
 Bogus ICMP responses, such as ICMP redirect messages from unauthorized sources, can be exploited to mislead network routing and redirect traffic maliciously. Configuring the system to ignore such responses enhances network security.

Rationale:
 Ignoring bogus ICMP responses prevents attackers from manipulating network paths, reducing the risk of man-in-the-middle attacks and traffic interception.

Impact:
 Pros:

  • Protects against malicious network traffic redirection.

  • Enhances the integrity of routing decisions.

Cons:

  • May impact legitimate ICMP-based network functions in certain environments.

Default Value:
 Systems may accept all ICMP responses by default unless configured otherwise.

Pre-requisites:

  • Root or sudo privileges to modify network parameters.

Remediation:

Test Plan:

Using Linux command line:

1. Check current settings for ignoring bogus ICMP responses:

sysctl net.ipv4.conf.all.accept_source_route  
sysctl net.ipv4.conf.default.accept_source_route

2. Confirm both values are set to 0 (disabled).

Implementation Plan:

Using Linux command line:

1. Disable acceptance of source-routed packets:

sysctl -w net.ipv4.conf.all.accept_source_route=0  
sysctl -w net.ipv4.conf.default.accept_source_route=0

2. Persist settings by adding to /etc/sysctl.conf or a file in /etc/sysctl.d/:

net.ipv4.conf.all.accept_source_route = 0  
net.ipv4.conf.default.accept_source_route = 0

3. Reload sysctl settings:

sysctl -p


Backout Plan:

Using Linux command line:

1. Re-enable acceptance of source-routed packets if necessary:

sysctl -w net.ipv4.conf.all.accept_source_route=1  
sysctl -w net.ipv4.conf.default.accept_source_route=1

2. Update configuration files accordingly and reload sysctl.

References: