GEN000000-AIX0210 – The system must provide protection from Internet Control Message Protocol (ICMP) attacks on TCP connections.

Details

The ICMP attacks may be of the form of ICMP source quench attacks and Path MTU Discovery (PMTUD) attacks. If this network option tcp_icmpsecure is turned on, the system does not react to ICMP source quench messages. This will protect against ICMP source quench attacks. The payload of the ICMP message is tested to determine if the sequence number of the TCP header portion of the payload is within the range of acceptable sequence numbers. This will mitigate PMTUD attacks to a large extent.

Solution

Set the tcp_icmpsecure parameter to 1.

# /usr/sbin/no -p -o tcp_icmpsecure=1

Supportive Information

The following resource is also helpful.

https://iasecontent.disa.mil/stigs/zip/U_AIX_6-1_V1R14_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

800-53|AC-4(8)
CAT|II
CCI|CCI-000032
Group-ID|V-29496
Rule-ID|SV-38700r1_rule
STIG-ID|GEN000000-AIX0210
Vuln-ID|V-29496

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles