Answers:
在某些情况下,ICMP数据包可用于攻击网络。尽管这种类型的问题在今天并不常见,但是在某些情况下确实会发生这种问题。ICMP重定向或ICMP Type 5数据包就是这种情况。路由器使用ICMP重定向来根据主机选择指定一个网络中更好的路由路径,因此从根本上说,它会影响数据包的路由方式和目的地。
通过ICMP重定向,主机可以找出可以从本地网络内访问哪些网络,以及用于每个此类网络的路由器。安全问题来自这样一个事实,即包括ICMP重定向在内的ICMP数据包非常容易被伪造,并且基本上,攻击者伪造ICMP重定向数据包也相当容易。
然后,攻击者可以从根本上改变主机的路由表,并将流量分配到他/她选择的路径上的外部主机;路由器将新路径保持活动状态10分钟。由于这个事实以及这种情况下涉及的安全风险,仍然建议您从所有公共接口禁用ICMP重定向消息(忽略它们)。
您需要编辑文件 /etc/sysctl.conf
并改变
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
至
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
然后通过以下方法应用上面的内核参数修改:
$ sudo sysctl -p
请注意,如果禁用转发(我们不是路由器),则net.ipvX.conf.all.accept_redirects的值将是ORed特定于接口的值,例如net.ipvX.conf.eth0.accept_redirects。send_redirects始终为ORed。
完整修复将是:
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
为了使用“默认”设置,必须重新设置网络接口。