Slide 13 of 16
Notes:
- Host Requirements RFC-1122 Section 3.2.2.6 states “An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded.”
- IBM has provided a setting in AIX 4.x to disable responses to broadcast addresses. It is not available in AIX 3.x. Use the "no" command to turn it off or on. NOTE: On AIX 4.x responses are DISABLED by default.
no -o bcastping=0 # disable bcast ping responses (default)
- Solaris can be set not to respond to broadcast ICMP echo requests. Add the following line to your /etc/rc2.d/S69inet startup:
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
- Starting with version 2.2.5, FreeBSD's IP stack does not respond to icmp echo requests destined to broadcast and multicast addresses by default. The sysctl parameter for this functionality is net.inet.icmp.bmcastecho.
- Under NetBSD, directed broadcasts can be disabled by using the sysctl command:
sysctl -w net.inet.ip.directed-broadcast=0
- Under Linux, one can use the CONFIG_IP_IGNORE_ECHO_REQUESTS variable to completely ignore ICMP echo requests. Of course, this violates RFC 1122.
- Any system (including Linux) with ipfw can be protected by adding rules such as:
ipfwadm -I -a deny -P icmp -D 123.123.123.0 -S 0/0 0 8
ipfwadm -I -a deny -P icmp -D 123.123.123.255 -S 0/0 0 8
(replace 123.123.123.0 and 123.123.123.255 with your base network number and broadcast address, respectively)