Profile Applicability:
 • Level 1

Description:
 ICMP redirect messages inform a host of a better route for sending packets. Accepting these redirects can allow attackers to manipulate network traffic and launch man-in-the-middle attacks. Disabling acceptance of ICMP redirects enhances network security.

Rationale:
 Rejecting ICMP redirects helps prevent malicious rerouting of traffic and protects against network-based attacks.

Impact:
 Pros:

  • Mitigates risk of man-in-the-middle and traffic interception attacks.

  • Enhances the integrity of network routing.

Cons:

  • May disrupt legitimate network routing in some environments.

Default Value:
 Many systems accept ICMP redirects by default.

Pre-requisites:

  • Root or sudo privileges to modify system network settings.

Remediation:

Test Plan:

Using Linux command line:

1. Check current settings for ICMP redirect acceptance:

sysctl net.ipv4.conf.all.accept_redirects  
sysctl net.ipv4.conf.default.accept_redirects

2. Confirm both values are set to 0 (disabled).

Implementation Plan:

Using Linux command line:

1. Disable acceptance of ICMP redirects temporarily:

sysctl -w net.ipv4.conf.all.accept_redirects=0  
sysctl -w net.ipv4.conf.default.accept_redirects=0

2. Persist the settings by adding to /etc/sysctl.conf or a file in /etc/sysctl.d/:

net.ipv4.conf.all.accept_redirects = 0  
net.ipv4.conf.default.accept_redirects = 0

3. Reload sysctl settings:

sysctl -p

Backout Plan:

Using Linux command line:

1. Re-enable acceptance of ICMP redirects if necessary:

sysctl -w net.ipv4.conf.all.accept_redirects=1  
sysctl -w net.ipv4.conf.default.accept_redirects=1

2. Update configuration files accordingly and reload sysctl.

References: