ICMP Redirects Send and Accept are by default enabled on most of the linux flavours including Debian, Ubuntu, Redhat Enterprise Linux, Suse Linux.
While ICMP Redirects are not the very efficient way to update a hosts Routing table of an optimal route to a target destination, it can cause serious security concerns where a hacker or attacker can send malicously crafted ICMP redirect messages and cause a Denial of Service attack on the network.
If ICMP Redirects are not used in the network for route updates and if the server is not acting as a Router or a Gateway (ICMP Redirect send only) then ICMP Redirect send and accepts should be disabled on the server.
In most of the Linux flavors (tested on Debian,Ubuntu,Redhat Enterprise linux,Suse) ICMP Redirects can be dynamically disabled on the host by using
1. /sbin/sysctl utility which can modify Kernel paramters at runtime
Login as root and run the following command to disable ICMP Redirects Send and Accept
Server# /sbin/sysctl -w net.ipv4.conf.all.accept_redirects = 0
Server# /sbin/sysctl -w net.ipv4.conf.all.send_redirects = 0
Server# /sbin/sysctl -w net.ipv6.conf.all.accept_redirects = 0
Server# /sbin/sysctl -w net.ipv6.conf.all.send_redirects = 0
The above disables ICMP Redirects globally on the server. However, if you want to disable on a per interface basis then in the above command, instead of using "all" use the inerface name (say "eth0")
Server# /sbin/sysctl -w net.ipv4.conf.eth0.accept_redirects = 0
Server# /sbin/sysctl -w net.ipv4.conf.eth0.send_redirects = 0
Server# /sbin/sysctl -w net.ipv6.conf.eth0.accept_redirects = 0
Server# /sbin/sysctl -w net.ipv6.conf.eth0.send_redirects = 0
This will disable ICMP Redirects immediatly.
or even a simpler option would be to
2. Passing appropriate value (0 or 1) to the above kernel variables as follows:
Server# echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects [for IPv4]
Server# echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects [for IPv4]
Server# echo 0 > /proc/sys/net/ipv6/conf/all/accept_redirects [for IPv6]
Server# echo 0 > /proc/sys/net/ipv6/conf/all/send_redirects [for IPv6]
Again this can be used on a per interface basis as
Server# echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects [for IPv4]
Server# echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects [for IPv4]
Server# echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_redirects [for IPv6]
Server# echo 0 > /proc/sys/net/ipv6/conf/eth0/send_redirects [for IPv6]
However, these kernel changes made at runtime will be lost when the system reboots. So it is important that these are applied at boot time as well to ensure that the server is secure.
ICMP REDIRECT DISABLE AT BOOT TIME
In order to disable ICMP Redirects at boot time,
1. Edit the /etc/sysctl.conf file
Edit the /etc/sysctl.conf file and add the following lines:
In Debian and Ubuntu Linux:
net/ipv4/conf/all/accept_redirects = 0 [for IPv4]
net/ipv4/conf/all/send_redirects = 0 [for IPv4]
net/ipv6/conf/all/accept_redirects = 0 [for IPv6]
net/ipv6/conf/all/send_redirects = 0 [for IPv6]
Again, if you want to control ICMP redirects on a per interface basis then add the following lines (say for eth0):
net/ipv4/conf/eth0/accept_redirects = 0 [for IPv4]
net/ipv4/conf/eth0/send_redirects = 0 [for IPv4]
net/ipv6/conf/eth0/accept_redirects = 0 [for IPv6]
net/ipv6/conf/eth0/send_redirects = 0 [for IPv6]
In Redhat Enterprise Linux and Suse:
net.ipv4.conf.all.accept_redirects = 0 [for IPv4]
net.ipv4.conf.all.send_redirects = 0 [for IPv4]
net.ipv6.conf.all.accept_redirects = 0 [for IPv6]
net.ipv6.conf.all.send_redirects = 0 [for IPv6]
Again, if you want to control ICMP redirects on a per interface basis then add the following lines (say for eth0):
net.ipv4.conf.eth0.accept_redirects = 0 [for IPv4]
net.ipv4.conf.eth0.send_redirects = 0 [for IPv4]
net.ipv6.conf.eth0.accept_redirects = 0 [for IPv6]
net.ipv6.conf.eth0.send_redirects = 0 [for IPv6]
This will allow the /etc/sysctl.conf be read by the /sbin/sysctl utility at the startup.
NOTE: In Debian and Ubuntu, this will be overiden by any options set in /etc/network/options as the /etc/init.d/networking script which sets the /etc/network/options file kernel paramters at boot time runs after the /etc/init.d/procps script which sets the kernel variable values specified in /etc/sysctl.conf file. It is advisable to make all change to /etc/sysctl.conf file instead of /etc/network/options file as this is being depreciated.
Thank you very much for the information provided in this site. I have just one comment:
I tested the command “sysctl -w net.ipv4.conf.all.accept_redirects = 0” on my computer, which runs UBUNTU 8.0.4 LTS, and it rejected this command with the following message:
error: “net.ipv4.conf.all.send_redirects” must be of the form name=value
error: Malformed setting “=”
error: “0” must be of the form name=value
The correct syntax does not allow spaces in the assignment:
“sysctl -w net.ipv4.conf.all.send_redirects=0”
Danilo, the problem is that there is a typo in the tutorial, you cannot enter spaces between the “=”.
It should be like this:
sysctl -w net.ipv4.conf.all.accept_redirects=0
and not:
sysctl -w net.ipv4.conf.all.accept_redirects = 0
Well, one’s first impression may well be (at least I secretly admit: mine was) “this is trivial, ain’t?”, essentially “blaming it on the user”.
Even so, the thought-to-be-long-since-lost truth comes to tell again. This time about this nuisance, sporting the merit of having been established the de facto standard for what one may call like “software implemented double standards”. (Yeah, that’s true, a blind advocate of tyranny and/or narcism taking its place in our secure hitech system. And still they try convincing us pacing over our well-founded fears about rise of the robots! lolz)
The thing is that both the informative, however “uncustomized” default (those “blamable” users, get it as “empty” or “meaningless” :)) conf file and the examples (read: usage help) given by sysctl binary handle the matter loosely.
*=0
and
* = 0
(see mentioned conf and “sysctl -a” for proof)
forms are to be found in either.
However, the binary does not accept the “spaced” version.
(the one itself is using for listing..)
The man page from 1999 is overly correct, if I remember well.
Ah, I am etch @ 2.6.26-2-686 SMP.
And if you ever need to disable “echo requests” (that is, those sent by “program” called “ping”), just use
net.ipv4.icmp_echo_ignore_all=1
in either the config file and the shell.
Hi,
How do we test the ICMP redirect packets are blocked or not.
(ICMP Type 13 and 14 –> ICMP Timestamp request and response)