Oct 24th, 2009
Disable ICMP Redirect and Enable IP Spoofing Protection
Disable ICMP Redirect and Enable IP Spoofing Protection
ICMP redirects are used by routers to tell the server that there is a better path to other networks than the one chosen by the server.
However, an intruder could potentially use ICMP redirect packets to alter the hosts’s routing table by causing traffic to use a path you didn’t intend.
To disable ICMP Redirect Acceptance, edit the /etc/sysctl.conf file and add the following line:
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv6.conf.all.accept_redirects = 0
Enable IP Spoofing Protection
IP spoofing is a technique where an intruder sends out packets which claim to be from another host by manipulating the source address. IP spoofing is very often used for denial of service attacks.
To enable IP Spoofing Protection, turn on Source Address Verification.
Edit the /etc/sysctl.conf file and add the following line: