What are ICMP redirects and should they be blocked?
What are ICMP redirection messages? Should they be disabled for security purposes? If so, what is the right way to do that using the ufw firewall?
2 Answers 2
There are certain cases where ICMP packets can be used to attack a network. Although this type of problem is not common today, there are situations where such problems do happen. This is the case with ICMP redirect, or ICMP Type 5 packet. ICMP redirects are used by routers to specify better routing paths out of one network, based on the host choice, so basically it affects the way packets are routed and destinations.
Through ICMP redirects, a host can find out which networks can be accessed from within the local network, and which are the routers to be used for each such network. The security problem comes from the fact that ICMP packets, including ICMP redirect, are extremely easy to fake and basically it would be rather easy for an attacker to forge ICMP redirect packets.
The atacker can then on basically alter your host’s routing tables and diver traffic towards external hosts on a path of his/her choice; the new path is kept active by the router for 10 minutes. Due to this fact and the security risks involved in such scenario, it is still a recommended practice to disable ICMP redirect messages (ignore them) from all public interfaces.
You need to edit the file /etc/sysctl.conf
################################################################### # Additional settings - these settings can improve the network # security of the host and prevent against some network attacks # including spoofing attacks and man in the middle attacks through # redirection. Some network environments, however, require that these # settings are disabled so review and enable them as needed. # # Do not accept ICMP redirects (prevent MITM attacks) #net.ipv4.conf.all.accept_redirects = 0 #net.ipv6.conf.all.accept_redirects = 0 # _or_ # Accept ICMP redirects only for gateways listed in our default # gateway list (enabled by default) # net.ipv4.conf.all.secure_redirects = 1 # # Do not send ICMP redirects (we are not a router) #net.ipv4.conf.all.send_redirects = 0 ################################################################### # Additional settings - these settings can improve the network # security of the host and prevent against some network attacks # including spoofing attacks and man in the middle attacks through # redirection. Some network environments, however, require that these # settings are disabled so review and enable them as needed. # # Do not accept ICMP redirects (prevent MITM attacks) net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 # _or_ # Accept ICMP redirects only for gateways listed in our default # gateway list (enabled by default) # net.ipv4.conf.all.secure_redirects = 1 # # Do not send ICMP redirects (we are not a router) net.ipv4.conf.all.send_redirects = 0 Then apply the kernel parameter modifications above with:
Linux Blog
ICMP redirect messages represent one of the lowest level routing protocols for simple redirects. Routers send them to hosts to inform them about more efficient ways to reach a host rather than route them over themselves. A host will allow this message and will store this «hint» in a temporary table. It will send the next package directly to the host given by the ICMP redirect.
However, the Linux kernel doesn’t listen to ICMP redirects when it is configured as router and not as host. So, be careful setting up routing tables for routers. They have to be complete. No hints from other hosts will be accepted and only the local routing table decides where packages go.
Disable ICMP Redirects:
In most of the Linux flavors (Debian, Ubuntu, Redhat Enterprise linux, OpenSuSe) ICMP Redirects can be dynamically disabled on the host by adding the proper entries in the /etc/sysctl.conf configuration file. Simply edit the /etc/sysctl.conf file and add the following entries:
2 comments:
Holding a special place, some say, within the IP layer is ICMP. You’re probably familiar with ICMP when you use the ping command because ping uses ICMP. ICMP, or Internet Control Message Protocol, has several uses, including being the underlying protocol for the ping command. There are 15 functions within ICMP each denoted by a type code. For instance, the type for an ICMP Echo Request (think: ping) is 8; the reply to that request, aptly titled an Echo Reply, is type 0. Within the different types there can also exist codes to specify the condition for the given type. The types and codes for ICMP messages are shown.
Recently I just came across a good article on «IPV6 — The “ ICMP Overview»
Here is its link.
I realise I’m two years too late on this, but this will do the complete opposite of what you say it will.
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
As in, «don’t accept/send redirects».
How to accept ICMP redirects?
tcpdump showed me there are some ICMP-redirect in my network (KVM virtual-machines, bridged network). I decided to take a closer look on them and how my system behaves and how it looks. I found it doesn’t work as it should: Let say I’m on 1.1.1.1 and I ping 2.2.2.2 :
# ping 2.2.2.2 PING 2.2.2.2 (2.2.2.2) 56(84) bytes of data. 64 bytes from 2.2.2.2: icmp_seq=1 ttl=63 time=0.569 ms From 4.4.4.4: icmp_seq=2 Redirect Host(New nexthop: 3.3.3.3) 64 bytes from 2.2.2.2: icmp_seq=2 ttl=63 time=0.690 ms From 4.4.4.4: icmp_seq=3 Redirect Host(New nexthop: 3.3.3.3) as you can see I get multiple redirects to 3.3.3.3 which looks fine but for some reason my host (1.1.1.1) ignores it.
# sysctl -a|grep accept_redirects net.ipv4.conf.all.accept_redirects = 1 net.ipv4.conf.default.accept_redirects = 1 net.ipv4.conf.eth0.accept_redirects = 1 net.ipv4.conf.lo.accept_redirects = 1 and there is no entry for that new route in ip route list and ip route list cache is empty. Kernel version is:
# uname -a Linux foo.bar 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u3 (2016-01-17) x86_64 GNU/Linux Changing /proc/sys/net/ipv4/conf/*/accept_redirects values 0|1 , networking restart or even reboot didn’t worked. I wish to accept ICMP redirects — any ideas ? UPDATE:
# ip -d route unicast default via 4.4.4.4 dev eth0 proto boot scope global unicast 1.1.1.0/24 dev eth0 proto kernel scope link src 1.1.1.1 unicast 4.4.4.4 dev eth0 proto boot scope link