Sysctl parameters for a secure network configuration in Mac OS X

Many modern operating systems are too permissive with respect to potentially malicious network traffic. By default, many of them respond to ICMP echo requests sent at the broadcast address, take any IP source-route information into account, and do process ICMP router redirects with no checking:

Many modern operating systems are too permissive with respect to potentially malicious network traffic. By default, many of them respond to ICMP echo requests sent at the broadcast address, take any IP source-route information into account, and do process ICMP router redirects with no checking:

Responding to ICMP echo requests sent at the broadcast address may allow for smurf-like, amplifier attacks that try to flood the network, or collapse a host with a great amount of useless traffic. Source-route information in IP packets is usually suspicious, as routing decisions should be, usually, taken on the fly using the router’s routing table. ICMP router redirect messages allow telling a host to replace its current default route by a different one, which is usually used by sniffers to defeat Layer-2 Ethernet switches, and mount a man-in-the-middle attacks.

Here are a few sysctl entries that can be added to “/etc/sysctl.conf” in order to prevent these usually dangerous facilities:

# Ignore ICMP echo requests targeted to the broadcast address
net.inet.icmp.bmcastecho=0
# Disable ICMP router redirect support
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=1
net.inet.ip.redirect=0
net.inet6.ip6.redirect=0
# Ignore source routes
net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s