GEN000000-AIX0210 - The system must provide protection from Internet Control Message Protocol (ICMP) attacks on TCP connections.

Information

The ICMP attacks may be of the form of ICMP source quench attacks and Path MTU Discovery (PMTUD) attacks. If this network option tcp_icmpsecure is turned on, the system does not react to ICMP source quench messages. This will protect against ICMP source quench attacks. The payload of the ICMP message is tested to determine if the sequence number of the TCP header portion of the payload is within the range of acceptable sequence numbers. This will mitigate PMTUD attacks to a large extent.

Solution

Set the tcp_icmpsecure parameter to 1.
# /usr/sbin/no -p -o tcp_icmpsecure=1

See Also

http://iasecontent.disa.mil/stigs/zip/U_STIG_Library_2015_07.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4(8), CAT|II, CCI|CCI-000032, Rule-ID|SV-38700r1_rule, STIG-ID|GEN000000-AIX0210, Vuln-ID|V-29496

Plugin: Unix

Control ID: b9973140871447ece8c25967d8365d2abb1afba808e6a5150e2196c39c73a06c