Tweak Your Network Configurations for Security
To protect your WAN connection, firewall, and DMZ servers from common attacks, take these simple steps to disable certain TCP/IP features.
Drop Source-Routed Traffic
There are actually two forms of source-routed traffic: Strict Source-Routed and Loose Source-Routed. The differences aren't that important because you want to drop all source-routed traffic. Traceroute is the most common command that uses source-routed traffic. This allows you to diagnose trouble spots in your network by specifying the route to take. Unfortunately, intruders can use source-routed traffic to try and bypass firewall rules and TCP/IP filters. Dropping source-routed traffic should be done on the edge routers, and any capable security gateways:
For Cisco routers, issue the following global directive: no ip source-route.
For OpenBSD, use the following sysctl: net.inet.ip.sourceroute=0.
For FreeBSD, use the following two sysctls: net.inet.ip.sourceroute=0, net.ip.accept_sourceroute=0.
With Solaris, use the following command: ndd -set /dev/ip ip_forward_src_routed 0.
For Linux 2.2.x, use the following command: echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route.
With Windows NT/2000, make the following Registry change:
HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Services\Tcpip\Parameters DisableIPSourceRouting
Create this value as a REG_DWORD and set it to 2.
Drop-Directed Broadcast Traffic
The Smurf Denial of Service attack and others like it can be defeated by disabling directed broadcasts on the edge routers and servers exposed to the Internet:
With OpenBSD, use the following sysctl: net.inet.ip.directed-broadcast=0
For Solaris, use the following command: ndd -set /dev/ip ip_forward_directed_broadcasts 0
Ignore ICMP Echo Request Broadcast
The draft RFC draft-vshah-ddos-smurf-00, found at http://www.ietf.org/internet-drafts/draft-vshah-ddos-smurf-00.txt, states that if the network node is set to reply to an IP ICMP echo reply on a broadcast or multicast address, the node must check to make sure that the source address is on a local network of the network node. If the source address is not local, the reply must be discarded. By changing the behavior to not respond to ICMP broadcasts, you ensure that those replies are always discarded:
With Solaris, use the following command: ndd -set /dev/ip ip_respond_to_echo_broadcast 0
With Linux 2.2.x, use the following command: echo 1 > /proc/sys/net/ipv4/icmp_echo_ ignore_broadcasts
Linux has an additional control to disable ALL ICMP Echo Reply requests. Issuing the following command will make the Linux kernel ignore all ICMP Echo Requests: echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all.
Ignore ICMP Redirect Messages
An intruder might try to redirect traffic from your servers to a different gateway or a non-existent gateway. Additionally, the intruder might try to inject bogus routes into your routing table. All these can be accomplished through the unassuming ICMP Redirect Message, and it is a very effective denial of service attack. In addition to blocking ICMP Redirect messages at the firewall, if your OS supports it, add the additional layer of security of ignoring ICMP Redirect messages:
With Solaris, use the following command: ndd -set /dev/ip ip_ignore_redirect 1
With Linux 2.2.x, use the following command: echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
Disable Sending of ICMP Redirect Messages
Only routers need to send ICMP Redirect messages. Because your DMZ servers and firewall are not routing any packets, there should be no reason to send them:
For Solaris, use the following command: ndd -set /dev/ip ip_send_redirects 0.
For Linux 2.2.x, use the following command: echo 0 > /proc/sys/net/ipv4/conf/ all/send_redirects.
Time Stamp Request Broadcast
An ICMP timestamp request (ICMP type 13) allows a system to query another for the current time. The return value is the number of milliseconds since midnight. ICMP timestamp requests have been used to synchronize clocks between systems rather than using the rdate command because the precision is better. Individual timestamp requests are normal, but there is no need for a system to respond to a broadcast request. Finally, you should look into using NTP to keep time synchronized between servers because it is much better at keeping the time, and allows for authentication and peering of multiple time sources, which makes it much harder to spoof. This allows you to drop ICMP type 13 (timestamp request) and type 14 (timestamp reply):
With Solaris, use the following command: ndd -set /dev/ip ip_respond_to_timestamp_ broadcast 0.