Front cover - IBM Redbooks

Traceroute is the most common command that uses source-routed traffic. This
permits the diagnosis of trouble spots in the network by specifying the route to
take.
Unfortunately, would-be attackers can use source-routed traffic to try and bypass
firewall rules and TCP/IP filters. Dropping source-routed traffic should be done
on the edge routers, and any capable security gateways:
► With Solaris, use the following command:
ndd -set /dev/ip ip_forward_src_routed 0
► For GNU/Linux 2.4.x, use this command:
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
Dropping directed broadcast traffic
The Smurf Denial of Service attack and others like it can be defeated by
disabling directed broadcasts on the edge routers and servers exposed to the
Internet:
► For Solaris, use the following command:
ndd -set /dev/ip ip_forward_directed_broadcasts 0
Ignoring ICMP echo request broadcasts
There is a draft RFC named draft-vshah-ddos-smurf-00, which can be found at
the following URL:
http://www.ietf.org/internet-drafts/draft-vshah-ddos-smurf-00.txt
It states that if the network node is set to reply to an IP ICMP echo reply on a
broadcast or multicast address, the node must check to make sure that the
source address is on a local network of the network node. If the source address
is not local, the reply must be discarded. Changing the behavior to not respond to
ICMP broadcasts ensures that those replies are always discarded:
► With Solaris, use the following command:
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
► With GNU/Linux 2.4.x, use the following command:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ ignore_broadcasts
GNU/Linux has an additional control to disable all ICMP Echo Reply requests.
Issuing the following command will make the Linux kernel ignore all ICMP Echo
Requests:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
Chapter 9. Server hardening 397