Title

The system must not respond to ICMPv6 echo requests sent to a broadcast address. (Cat II impact)

Discussion

Responding to broadcast ICMP echo requests facilitates network mapping and provides a vector for amplification attacks.

Check Content

Determine if the system blocks inbound IPv6 ICMP echo-requests sent to the all-hosts multicast address. Procedure: # ipfstat -6 -i Check for a rule such as: block in quick proto icmpv6 from any to ff02::1 icmpv6-type 128 If a rule blocking inbound IPv6 ICMP echo-requests sent to the all-hosts multicast address does not exist, this is a finding.

Fix Text

Add an IPF rule to block inbound IPv6 ICMP ECHO_REQUEST packets sent to the all-hosts multicast address. Edit /etc/opt/ipf/ipf6.conf and add a rule such as: block in quick proto icmpv6 from any to ff02::1 icmpv6-type 128 Reload the IPF rules. # ipf -6 -Fa -A -f /etc/opt/ipf/ipf6.conf

Additional Identifiers

Rule ID: SV-29786r1_rule

Vulnerability ID: V-23972

Group Title: GEN007950

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.