GEN000000-AIX0210 - The system must provide protection from Internet Control Message Protocol (ICMP) attacks on TCP connections.


The ICMP attacks may be of the form of ICMP source quench attacks and Path MTU Discovery (PMTUD) attacks. If this network option tcp_icmpsecure is turned on, the system does not react to ICMP source quench messages. This will protect against ICMP source quench attacks. The payload of the ICMP message is tested to determine if the sequence number of the TCP header portion of the payload is within the range of acceptable sequence numbers. This will mitigate PMTUD attacks to a large extent.


Set the tcp_icmpsecure parameter to 1.
# /usr/sbin/no -p -o tcp_icmpsecure=1

See Also

Item Details


References: 800-53|AC-4(8), CAT|II, CCI|CCI-000032, Rule-ID|SV-38700r1_rule, STIG-ID|GEN000000-AIX0210, Vuln-ID|V-29496

Plugin: Unix

Control ID: b9973140871447ece8c25967d8365d2abb1afba808e6a5150e2196c39c73a06c