You can disable ICMP redirect messages to protect your storage system against forged ICMP redirect attacks.
Considerations
To efficiently route a series of datagrams to the same destination, your storage system maintains a route cache of mappings to next-hop gateways. If a gateway is not the best next-hop for a datagram with a
specific destination, the gateway forwards the datagram to the best next-hop gateway and sends an
ICMP redirect message to the storage system. By forging ICMP redirect messages, an attacker can modify the route cache on your storage system, causing it to send all of its communications through the attacker. The attacker can then hijack a session at the network level, easily monitoring, modifying, and injecting data into the session.
Step
- Enter the following command:
options
ip.icmp_ignore_redirect.enable on
Your storage system will now ignore ICMP redirect messages.
For more information about the ip.icmp_ignore_redirect.enable option, see the na_options(1)man page.
Note: By default theip.icmp_ignore_redirect.enable
option is off.
