什么是 ICMP 重定向？是否应该阻止它们？

Question 1

在某些情况下，ICMP 数据包可用于攻击网络。尽管这种类型的问题如今并不常见，但在某些情况下确实会发生此类问题。ICMP 重定向或 ICMP 类型 5 数据包就是这种情况。路由器使用 ICMP 重定向根据主机选择指定一个网络外的更好路由路径，因此它基本上会影响数据包的路由方式和目的地。

通过 ICMP 重定向，主机可以找出本地网络内可以访问哪些网络，以及每个此类网络要使用哪些路由器。安全问题源于 ICMP 数据包（包括 ICMP 重定向）极易伪造，攻击者基本上很容易伪造 ICMP 重定向数据包。

然后攻击者基本上可以改变主机的路由表，并通过他/她选择的路径将流量转发到外部主机；路由器会将新路径保持活动状态 10 分钟。鉴于这一事实以及此类情况所涉及的安全风险，建议禁用所有公共接口的 ICMP 重定向消息（忽略它们）。

您需要编辑该文件/etc/sysctl.conf

并改变

###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0

到

###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0

然后应用上述内核参数修改：

$ sudo sysctl -p

Answer

根据本文

在某些情况下，ICMP 数据包可用于攻击网络。尽管这种类型的问题如今并不常见，但在某些情况下确实会发生此类问题。ICMP 重定向或 ICMP 类型 5 数据包就是这种情况。路由器使用 ICMP 重定向根据主机选择指定一个网络外的更好路由路径，因此它基本上会影响数据包的路由方式和目的地。

通过 ICMP 重定向，主机可以找出本地网络内可以访问哪些网络，以及每个此类网络要使用哪些路由器。安全问题源于 ICMP 数据包（包括 ICMP 重定向）极易伪造，攻击者基本上很容易伪造 ICMP 重定向数据包。

然后攻击者基本上可以改变主机的路由表，并通过他/她选择的路径将流量转发到外部主机；路由器会将新路径保持活动状态 10 分钟。鉴于这一事实以及此类情况所涉及的安全风险，建议禁用所有公共接口的 ICMP 重定向消息（忽略它们）。

您需要编辑该文件/etc/sysctl.conf

并改变

###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0

到

###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0

然后应用上述内核参数修改：

$ sudo sysctl -p

Question 2

请注意，如果禁用转发（我们不是路由器），net.ipvX.conf.all.accept_redirects 的值将是 ORed 接口特定值，例如 net.ipvX.conf.eth0.accept_redirects。send_redirects 始终是 ORed。

完整的修复方法是：

net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0

为了使用“默认”设置，必须重新设置网络接口。

Answer

请注意，如果禁用转发（我们不是路由器），net.ipvX.conf.all.accept_redirects 的值将是 ORed 接口特定值，例如 net.ipvX.conf.eth0.accept_redirects。send_redirects 始终是 ORed。

完整的修复方法是：

net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0

为了使用“默认”设置，必须重新设置网络接口。

什么是 ICMP 重定向？是否应该阻止它们？

答案1

答案2

相关内容