1

I've recently started working as a security auditor and my mentor gave me some homework to write an Ubuntu security audit script so that I'll get to learn to use batch scripting and understand auditing in depth.

I got to the part of ICMP packets redirect and had a tough time to understand why exactly should I disable it, same goes for IP forwarding.

What is the exact advantage an attacker may gain by not disabling these features?

Here are the links I read it from:

https://secscan.acron.pl/ubuntu1604/3/2/2

https://secscan.acron.pl/ubuntu1604/3/1/1

Clarification:

for ICMP redirects:

I'm having a hard time understanding how is it possible to alter the system routing tables:

"... bogus ICMP redirect messages to maliciously alter the system routing tables"

for IP forwarding: How can an attacker exploit this if this were to be enabled?

"...will never be able to forward packets, and therefore, never serve as a router."

schroeder
  • 123,438
  • 55
  • 284
  • 319

1 Answers1

1

ICMP redirects are a "feature" of IP which allows a router to inform a host that there's a more efficient route to a destination and that the host should adjust its routing table accordingly. This might be OK on a trusted LAN, but on the wild Internet, where malice abounds, it may not be such a good idea to alter your routing table at someone else's whim. Nevertheless, ICMP redirects are enabled by default on Linux.

Text extracted from https://www.agwa.name/blog/post/icmp_redirect_attacks_in_the_wild

About IP forwarding: The idea in disable it, is to avoid after partial control of a host (partial means here without root access) you are not able to use it as router, or masquerade some traffic, bypassing eventually a firewall or network gateway in general

VP.
  • 1,043
  • 1
  • 11
  • 12