Disable ICMP Redirects

What the ICMP redirect disabler does

This Automox Worklet™ modifies Linux kernel network parameters to reject ICMP redirect messages. By default, many Linux distributions accept ICMP redirects, which allows the system to update its routing table based on these network messages. Attackers can exploit this to redirect traffic through malicious hosts.

The Worklet configures four sysctl parameters: net.ipv4.conf.all.accept_redirects, net.ipv4.conf.default.accept_redirects, net.ipv4.conf.all.secure_redirects, and net.ipv4.conf.default.secure_redirects. Setting all four to 0 provides comprehensive protection against ICMP redirect attacks.

Why disable ICMP redirects on your network

ICMP redirects were designed to help routers inform hosts of better routes. In modern networks with properly configured routing, this feature provides minimal benefit while creating security risk. An attacker on the same network segment can send spoofed ICMP redirects to manipulate traffic flow.

This attack enables man-in-the-middle scenarios, traffic interception, and denial of service. Vulnerability scanners such as Rapid7 flag enabled ICMP redirects as a security finding. Disabling them aligns with CIS Benchmarks and other security hardening frameworks.

The Worklet creates a persistent configuration at /etc/sysctl.d/ax_icmp_disable_redirect.conf that applies settings automatically on boot. This approach is preferable to modifying /etc/sysctl.conf directly because it preserves your changes during system updates.

How ICMP redirect remediation works

1. Evaluation phase: Reads current values of the four ICMP redirect sysctl parameters using sysctl -n. If any value is not 0, the endpoint is non-compliant and remediation is triggered.

2. Remediation phase: Creates or updates /etc/sysctl.d/ax_icmp_disable_redirect.conf with all four parameters set to 0, then runs sysctl --system to reload all sysctl configuration files and apply the changes immediately.

ICMP hardening requirements

• Linux endpoints with sysctl support

• Root privileges for the Automox agent

• Write access to /etc/sysctl.d/

• Compatible with workstations and servers

Expected network security state

After remediation, all four ICMP redirect parameters are set to 0. Verify by running sysctl net.ipv4.conf.all.accept_redirects and checking the other three parameters. Each should return 0.

The /etc/sysctl.d/ax_icmp_disable_redirect.conf file persists the configuration across reboots. The endpoint will no longer accept ICMP redirect messages, protecting it from routing table manipulation attacks on the local network.

How to validate disable icmp redirects changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for disable icmp redirects.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.

4. Validate remediation effects from script operations such as function, else, /bin/cat, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for disable icmp redirects. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit, else and remediation operations such as function, else, /bin/cat. Use these indicators to verify that endpoint changes match intended policy outcomes.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for disable icmp redirects. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit, else and remediation operations such as function, else, /bin/cat. Use these indicators to verify that endpoint changes match intended policy outcomes.