Profile Applicability:
 • Level 1

Description:
 Broadcast ICMP requests can be exploited in denial-of-service (DoS) attacks by amplifying network traffic. Configuring the system to ignore these requests helps prevent such attacks and enhances network security.

Rationale:
 Ignoring broadcast ICMP requests mitigates the risk of amplification attacks and reduces unnecessary network traffic processing.

Impact:
 Pros:

  • Protects against DoS attacks leveraging broadcast ICMP.

  • Improves overall network resilience.

Cons:

  • May affect legitimate network diagnostics if broadcast ICMP is required.

Default Value:
 Broadcast ICMP requests are often accepted by default unless explicitly disabled.

Pre-requisites:

  • Root or sudo privileges to modify system network parameters.

Remediation:

Test Plan:

Using Linux command line:

1. Check current setting for ignoring broadcast ICMP requests:

sysctl net.ipv4.icmp_echo_ignore_broadcasts

2. Confirm the value is set to 1 (enabled).

Implementation Plan:

Using Linux command line:

1. Enable ignoring of broadcast ICMP requests temporarily:

sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

2. Persist the setting by adding the following to /etc/sysctl.conf or a file in /etc/sysctl.d/:

net.ipv4.icmp_echo_ignore_broadcasts = 1

3. Reload sysctl settings:

sysctl -p

Backout Plan:

Using Linux command line:

1. Disable ignoring broadcast ICMP requests if necessary:

sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=0

2. Update configuration files accordingly and reload sysctl.

References: