Profile Applicability:
• Level 1
Description:
Broadcast ICMP requests can be exploited in denial-of-service (DoS) attacks by amplifying network traffic. Configuring the system to ignore these requests helps prevent such attacks and enhances network security.
Rationale:
Ignoring broadcast ICMP requests mitigates the risk of amplification attacks and reduces unnecessary network traffic processing.
Impact:
Pros:
Protects against DoS attacks leveraging broadcast ICMP.
Improves overall network resilience.
Cons:
May affect legitimate network diagnostics if broadcast ICMP is required.
Default Value:
Broadcast ICMP requests are often accepted by default unless explicitly disabled.
Pre-requisites:
Root or sudo privileges to modify system network parameters.
Remediation:
Test Plan:
Using Linux command line:
1. Check current setting for ignoring broadcast ICMP requests:
sysctl net.ipv4.icmp_echo_ignore_broadcasts
2. Confirm the value is set to 1 (enabled).
Implementation Plan:
Using Linux command line:
1. Enable ignoring of broadcast ICMP requests temporarily:
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
2. Persist the setting by adding the following to /etc/sysctl.conf or a file in /etc/sysctl.d/:
net.ipv4.icmp_echo_ignore_broadcasts = 1
3. Reload sysctl settings:
sysctl -p
Backout Plan:
Using Linux command line:
1. Disable ignoring broadcast ICMP requests if necessary:
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=0
2. Update configuration files accordingly and reload sysctl.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
Linux sysctl Documentation