SUMMARY: Preventing ICMP redirects

From: Derk Tegeler <derk.tegeler_at_cmg.nl>
Date: Fri, 23 Mar 2001 14:33:36 +0100

With thanks to Bryan Lavelle for the dbx part.

The problem: many network devices that may act as router believe that they
are alone (Brands Apollo access server, some 3com devices,...) and broadcast
ICMP-redirect packets, thus modifying the default route on hosts. Although
the ICMP-redirect mechanism is correct behaviour from a host point of vue it
is a many cases not desired and is a security risk.

The solution: on a running kernel set icmp_rejectcodemask=0x20 as follows

dbx -k /vmunix
...
(dbx) assign icmp_rejectcodemask=0x20
32
(dbx)

An alternative to the above is to use "patch" instead of "assign", making
the modification impermanent, i.e. the kernel will resume normal behaviour
at the next reboot.

The ICMP_REDIRECT bit is the 6th bit in the icmp part of the IP header (bit
number 5). By setting the 6th bit in the mask above, the kernel will reject
(ignore, drop) all icmp redirect packets.

Regards,

Derk Tegeler

-----Original Message-----
From: Derk Tegeler [mailto:derk.tegeler_at_cmg.nl]
Sent: Friday, March 23, 2001 10:09
To: 'tru64-unix-managers_at_ornl.gov'
Subject: Preventing ICMP redirects


Hi,

Does anybody know how to prevent ICMP-redirect from modifying a default
(static) route?

Note the M flag on the default route, in the routing table below.

PS: t64 v4.0f

Regards,

Derk Tegeler

# netstat -rn
Routing tables
Destination Gateway Flags Refs Use Interface
Netmasks:
Inet 0.0.0.0
Inet 255.255.255.0

Route Tree for Protocol Family 2:
default 192.168.102.233 UGMS 2 108267 tu0
...
Received on Fri Mar 23 2001 - 13:32:47 NZST

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:42 NZDT