As a security best practice, verify that the host system denies IPv4 Internet Control Message Protocol (ICMP) redirects. Routers use ICMP redirect messages to inform servers that a direct route exists for a particular destination. These messages contain information from the system's route table that might reveal portions of the network topology.

Procedure

  1. Run the # grep [01] /proc/sys/net/ipv4/conf/*/send_redirects|egrep "default|all" on the host system to verify whether it denies IPv4 ICMP redirects.
  2. Configure the host system to deny IPv4 ICMP redirects.
    1. Open the /etc/sysctl.conf file to configure the host system.
    2. If the values are not set to 0, add the following entries to the file or update the existing entries accordingly. Set the value to 0. 
      net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
    3. Save the changes and close the file.
    4. Run # sysctl -p to apply the configuration.