Responses to broadcast Internet Control Message Protocol (ICMP) echoes provide an attack vector for amplification attacks and can facilitate network mapping by malicious agents. Configuring your system to ignore ICMPv4 echoes provides protection against such attacks.
Procedure
- Run the
# cat /proc/sys/net/ipv4/icmp_echo_ignore_broadcastscommand to verify that the system is not sending responses to ICMP broadcast address echo requests. - Configure the host system to deny ICMPv4 broadcast address echo requests.
- Open the /etc/sysctl.conf file in a text editor.
- If the value for this entry is not set to
1, add thenet.ipv4.icmp_echo_ignore_broadcasts=1entry. - Save the changes and close the file.
- Run # sysctl -p to apply the configuration.
