Detections
Analytics

3.3.1.7 Ensure net.ipv4.icmp_echo_ignore_broadcasts is configured

Information

net.ipv4.icmp_echo_ignore_broadcasts controls if all ICMP echo and timestamp requests to broadcast and multicast addresses are ignored.

More information about the kernel parameter configuration files, their location, and load preference is available in the "Configure Network Kernel Parameters" section overview.

Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied.

Solution

- Run the following command to comment out net.ipv4.icmp_echo_ignore_broadcasts lines returned by the audit procedure that are not net.ipv4.icmp_echo_ignore_broadcasts = 1 :

# sed -ri '^\s*net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*0/s/^/#/g' \
"path/to/file/in/audit/filename"

Example:

# sed -ri '/^\s*net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*0/s/^/#/g' \
/etc/sysctl.d/99-sysctl.conf
 - Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or add the following line:

net.ipv4.icmp_echo_ignore_broadcasts = 1

Example:

# [ ! -d "/etc/sysctl.d/" ] && mkdir -p /etc/sysctl.d/
# printf '%s\n' "" "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.d/60-ipv4_sysctl.conf
 - Run the following command to load all sysctl configuration files:

# sysctl --system

See Also

https://workbench.cisecurity.org/benchmarks/25279

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CCI|CCI-000366, CSCv7|9.2, Rule-ID|SV-230537r1017299_rule, Rule-ID|SV-248878r991589_rule, Rule-ID|SV-257966r991589_rule, Rule-ID|SV-269248r1050130_rule, Rule-ID|SV-271873r1092331_rule

Plugin: Unix

Control ID: 95c9168739cdd37b5d7176d54757cc42cc6dd33f7976bad50a364f56f1d77cb9