3.6 Ensure ICMP Redirects are set to disabled (on all untrusted IPv4 networks)


The Routing Engine should not send ICMP Redirect Messages.


ICMP Redirect Messages provide a method for a router to communicate routing information with a host and is intended for use when a router receives packets to forward to a destination to which the host should have a direct route. In a well designed, modern, network ICMP Redirects should not be needed or add any useful functionality.

An attacker may abuse this feature to obtain topology information about a target network and potentially identify weaknesses for later exploitation or to target the router and hosts with Denial of Service (DoS) or Man in the Middle (MITM) attacks.

To prevent this abuse, ICMP Redirect message generation should be disabled globally where it is not required as discussed in Recommendation 6.15.10 Ensure ICMP Redirects are Disabled for IPv4. Where this is not possible, ICMP Redirects can be disabled on a per Interface basis and should be disabled for all Untrusted networks, such as the Internet, or subnets where this functionality is not required.


In some networks, for instances where subnets populated by hosts include multiple non-redundant gateways, removing redirects may result in traffic being doubled on some gateways interfaces as traffic is received and then forwarded on the same port.


To disable ICMP Redirect message generation on an untrusted network interface, issue the following command from the [edit interfaces] hierarchy;

[edit interfaces]
user@host#set <interface name> unit <unit number> family <address family> no-redirects

Default Value:

By default the ICMP Redirect messages are generated.

See Also


Item Details


References: 800-53|SC-7, CSCv7|12

Plugin: Juniper

Control ID: 80fe85789c2be75ebad0f9128799ec29568702131264e489587f5adfb3c1269f