As a security best practice, verify that your VMware appliance host machines ignore ICMP broadcast address echo requests.
Responses to broadcast Internet Control Message Protocol (ICMP ) echoes provide an attack vector for amplification attacks and can facilitate network mapping by malicious agents. Configuring your appliance host machines to ignore ICMPv4 echoes provides protection against such attacks.
- Run the
# cat /proc/sys/net/ipv4/icmp_echo_ignore_broadcastscommand on the VMware virtual appliance host machines to confirm that they deny IPv4 broadcast address echo requests.
If the host machines are configured to deny IPv4 redirects, this command will return a value of 0 for
- To configure a virtual appliance host machine to deny ICMPv4 broadcast address echo requests, open the /etc/sysctl.conf file on Windows host machines in a text editor.
- Locate the entry that reads
net.ipv4.icmp_echo_ignore_broadcasts=0. If the value for this entry is not set to zero or if the entry does not exist, add it or update the existing entry accordingly.
- Save the changes and close the file.