Title

The system must not respond to ICMP timestamp requests sent to a broadcast address. (Cat II impact)

Discussion

The processing of Internet Control Message Protocol (ICMP) timestamp requests increases the attack surface of the system. Responding to broadcast ICMP timestamp requests facilitates network mapping and provides a vector for amplification attacks.

Check Content

Determine the type of zone that you are currently securing. # zonename If the zone is not the global zone, determine if any interfaces are exclusive to the zone: # dladm show-link If the output indicates "insufficient privileges" then this requirement is not applicable. If the zone is the global zone or the non-global zone has exclusive interfaces verify the system does not respond to ICMP timestamp requests set to broadcast addresses. # ndd /dev/ip ip_respond_to_echo_broadcast If the result is not 0, this is a finding.

Fix Text

Configure the system to not respond to ICMP timestamp requests sent to broadcast addresses. # ndd -set /dev/ip ip_respond_to_echo_broadcast 0 Also add this command to a system startup script.

Additional Identifiers

Rule ID: SV-227797r603266_rule

Vulnerability ID: V-227797

Group Title: SRG-OS-000480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.