ICMP protocol for TCP/IP stack reinforcement of Unix operating systems

TCP/IP stackProcesses incoming and outgoing IP data packets, and routes the data packets to the application that processes the data. Due to its own defects, the openness of the network, and hacker attacks are the main reasons for the security of the interconnected network. TCP/IP, as a standard protocol set used by the Internet, is a key target for hackers to conduct network attacks.

ICMPIs a messenger dedicated to logical errors and diagnostics. RFC792 describes it in detail. Any IP network device can send, receive, or operate ICMP messages. Although the ICMP designers did not consider the security issues today, they have designed some basic principles that can make ICMP more effective.

To ensure that ICMP messages do not overwhelm the IP network, ICMP has no special priority and is always a common traffic.

ICMP messages are sent as responses to other ICMP messages. This mechanism is designed to prevent the occurrence of an error message from repeatedly producing another error message. Otherwise, it is really a big problem.

ICMP cannot be sent as a response to multicast or broadcast traffic.

ICMP attacks include:

The destination cannot arrive attack is a denial of service attack: the ICMP Destination cannot arrive at the message and provides a tool to notify the sender of the attempt to forward the message: because the host specified in the datagram destination address cannot be reached, the message cannot be transmitted.

Smurf attacks are denial-of-service attacks: Smurf attacks are a terrible form of denial-of-service attacks because of their amplification effect. Smurf attacks use ICMP to respond to messages.

1. Disable ICMP echo broadcast Activity

 
 

  
  
AIX 5
  
  
 
  
  
# No-oDirected_broadcast=0 
  
  
 
  
  
FreeBSD 5-7
  
  
 
  
  
# Sysctl-wNet. inet. icmp. bmcastecho=0 
  
  
 
  
  
HP-UX 10
  
  
 
  
  
# Ndd-set/dev/ip ip_respond_to_echo_broadcast 0
  
  
 
  
  
# Ndd-set/dev/ip ip_forward_directed_broadcasts 0
  
  
 
  
  
Linux2.4-2.6 # sysctl-w net. ipv4.icmp _ echo_ig #Nore_broadcasts=1 
  
  
 
  
  
The OpenBSD3-4 is already the default setting
  
  
 
  
  
Solaris 8-10
  
  
 
  
  
# Ndd-set/dev/ip ip_respond_to_echo_broadcast 0
  
  
 
  
  
# Ndd-set/dev/ip ip6_respond_to_echo_multicast 0
  
  
 
  
  
# Ndd-set/dev/ip ip_forward_directed_broadcasts 0
 
 

Otherwise, your system may become a tool for Smurf attackers. The Smurf attack is named after the program that initially launched the attack "Smurf. In combination with IP Spoofing and ICMP reply, this attack method floods a large amount of network transmission to the target system, causing the target system to refuse to serve the normal system.

Smurf attacks flood the victim host by setting the reply address to the ICMP Response Request (ping) packet of the broadcast address of the victim network, eventually, all hosts on the network will reply to this ICMP Response Request, resulting in network congestion. The more complex Smurf changes the source address to a third-party victim, resulting in a third-party crash.

2. Disable ICMP route redirection

 
 

  
  
AIX5  
  
  
 
  
  
#no -o ipig#noreredirects=1 
  
  
 
  
  
#no -o ipsendredirects=0 
  
  
 
  
  
FreeBSD 5-7  
  
  
 
  
  
#sysctl -w net.inet.ip.redirect=0 
  
  
 
  
  
#sysctl -w net.inet.ip6.redirect=0 
  
  
 
  
  
HP-UX 10  
  
  
 
  
  
#ndd -set /dev/ip ip_send_redirects  
  
  
 
  
  
0#ndd -set /dev/ip ip_forward_directed_broadcasts 0  
  
  
 
  
  
Linux2.4-2.6  
  
  
 
  
  
#sysctl -w net.ipv4.conf.all.accept_redirects=0 
  
  
 
  
  
#sysctl -w net.ipv6.conf.all.accept_redirects=0 
  
  
 
  
  
#sysctl -w net.ipv4.conf.all.send_redirects=0 
  
  
 
  
  
#sysctl -w net.ipv6.conf.all.send_redirects=0 
  
  
 
  
  
OpenBSD3-4  
  
  
 
  
  
#sysctl -w net.inet.icmp.rediraccept=0 
  
  
 
  
  
#sysctl -w net.inet6.icmp6.rediraccept=0 Solaris 8-10  
  
  
 
  
  
#ndd -set /dev/ip ip_ig#nore_redirect 1  
  
  
 
  
  
#ndd -set /dev/ip ip6_ig#nore_redirect 1  
  
  
 
  
  
#ndd -set /dev/ip ip_send_redirects 0  
  
  
 
  
  
#ndd -set /dev/ip ip6_send_redirects 0 
 
 

Otherwise, your system may be vulnerable to route table errors.

3. Disable ICMP broadcast Detection

 
 

  
  
AIX5
  
  
 
  
  
# No-oIcmpaddressmask=0 
  
  
 
  
  
FreeBSD 5-7
  
  
 
  
  
# Sysctl-wNet. inet. icmp. maskrepl=0 
  
  
 
  
  
HP-UX 10
  
  
 
  
  
# Ndd-set/dev/ip ip_respond_to_address_mask_broadcast 0
  
  
 
  
  
# Ndd-set/dev/ip ip_respond_to_timestamp_broadcast 0
  
  
 
  
  
Linux2.4-2.6
  
  
 
  
  
# Sysctl-wNet. ipv4.icmp _ echo_ignore_broadcasts=1 
  
  
 
  
  
The OpenBSD3-4 is already the default setting
  
  
 
  
  
Solaris8-10
  
  
 
  
  
# Ndd-set/dev/ip ip_respond_to_address_mask_broadcast 0
  
  
 
  
  
# Ndd-set/dev/ip ip_respond_to_timestamp_broadcast
 
 

The attack content of the ICMP protocol has been introduced to you, and we hope you have mastered it. We will continue to introduce it to you in future articles.

1. UNIX System Security Crisis assessment
2. Take targeted measures to ensure the security of Unix servers
3. Analysis of the inevitability of Unix host System Security Vulnerabilities