As a security best practice, verify that the host system ignores IPv4 Internet Control Message Protocol (ICMP) redirect messages. A malicious ICMP redirect message can allow a man-in-the-middle attack to occur. Routers use ICMP redirect messages to notify hosts that a more direct route exists for a destination. These messages modify the host's route table and are unauthenticated.

Procedure

  1. Run the # grep [01] /proc/sys/net/ipv4/conf/*/accept_redirects|egrep "default|all" command on the host system to check whether the host system ignores IPv4 redirect messages.
  2. Configure the host system to ignore IPv4 ICMP redirect messages.
    1. Open the /etc/sysctl.conf file.
    2. If the values are not set to 0, add the following entries to the file or update the existing entries accordingly. Set the value to 0. 
      net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
    3. Save the changes and close the file.
    4. Run # sysctl -p to apply the configuration.