24-21
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Chapter24 Security Audit
Fix It Page
in the internetwork. ICMP mask reply messages are sent to the device requesting
the information by devices that have the requested information. These messages
can be used by an attacker to gain network mapping info rmation.
The configuration that will be delivered to the router to disable ICMP mask reply
messages is as follows:
no ip mask-reply
This fix can be undone. To learn how, click Undoing Security Audit Fixes.
Disable IP Unreachables on NULL Interface
Security Audit disables Internet Message Control Protocol (ICMP) host
unreachable messages whenever possible. ICMP supports IP traffic by relaying
information about paths, routes, and network conditions. ICMP host unre achable
messages are sent out if a router receives a nonbroadcast packet that uses an
unknown protocol, or if the router receives a packet that it is unable to deliver to
the ultimate destination because it knows of no route to the destination address.
Because the null interface is a packet sink, packets forwarded there will always be
discarded and, unless disabled, will generate host unreachable messages. In that
case, if the null interface is being used to block a Denial-of-Service attack, these
messages flood the local network with these messages. Disabling these messages
prevents this situation. In addition, because all blocked packets are forwarded to
the null interface, an attacker receiving host unreachable messages could use
those messages to determine Access Control List (ACL) configuration.
If the “null 0” interface is configured on your router, Security Audit will deliver
the following configuration to the router to disable ICMP host unreachable
messages for discarded packets or packets routed to the null interface is as
follows:
int null 0
no ip unreachables
This fix can be undone. To learn how, click Undoing Security Audit Fixes.