Disable ICMP Redirects

What the ICMP redirect disabler does

This Automox Worklet™ disables ICMP redirect acceptance on Linux endpoints. Most mainstream distributions ship with accept_redirects enabled, which lets the kernel rewrite its routing table in response to an inbound ICMP type 5 message. An attacker sharing the local segment can forge that message and steer traffic through a host they control.

The Worklet writes a sysctl drop-in to /etc/sysctl.d/ax_icmp_disable_redirect.conf and sets four kernel parameters: net.ipv4.conf.all.accept_redirects, net.ipv4.conf.default.accept_redirects, net.ipv4.conf.all.secure_redirects, and net.ipv4.conf.default.secure_redirects. Each value is pinned to 0. The drop-in approach is preferred over editing /etc/sysctl.conf because package upgrades and distribution-provided configs leave it alone.

After writing the file, the Worklet runs sysctl --system to reload every drop-in under /etc/sysctl.d/, /usr/lib/sysctl.d/, and /run/sysctl.d/, so the new values take effect immediately without a reboot. The script is idempotent: a compliant endpoint exits 0 without touching disk, and a non-compliant endpoint is brought into state and re-verified on the next evaluation.

Why disable ICMP redirect acceptance

ICMP redirects were designed in an era when end hosts learned routes from helpful gateways. On a modern enterprise LAN the routing topology is fixed, and accept_redirects=1 buys nothing operationally while opening a man-in-the-middle attack surface. A spoofed ICMP type 5 packet from a same-segment attacker rewrites the victim's route to a target prefix, redirecting traffic through the attacker's host for interception, modification, or denial of service. Tools like Ettercap and Scapy automate the attack in a few lines.

The finding shows up under CIS Benchmark control 3.3.2 (ICMP redirects must not be accepted) on every major Linux distribution profile, NIST 800-53 SC-7, and the network hardening section of DISA STIGs. Vulnerability scanners including Rapid7 InsightVM, Tenable Nessus, and Qualys VMDR flag enabled redirects as a medium-severity host configuration issue. Pinning the four parameters to 0 closes the finding across all three scanners with a single Worklet.

Manual remediation across a mixed fleet is slow and easy to get wrong: an admin has to SSH to each host, edit /etc/sysctl.conf or a drop-in by hand, run sysctl --system, and confirm /proc/sys/net/ipv4/conf/all/accept_redirects reads 0. The Worklet collapses that loop into a single policy that records before-and-after values in the Automox activity log, so a 500-host CIS 3.3.2 finding is closed in one run and the evidence is captured for the auditor without any follow-up SSH work.

How ICMP redirect remediation works

1. Evaluation phase: The Worklet iterates the four target sysctl keys and reads their running values with sysctl -n. If any value is not 0, the endpoint is flagged non-compliant and remediation is scheduled. Output records the key, the observed value, and the desired value of 0, so the activity log carries the evidence an auditor needs without a follow-up SSH session.

2. Remediation phase: The Worklet writes /etc/sysctl.d/ax_icmp_disable_redirect.conf containing all four parameters set to 0, then runs sysctl --system to reload every drop-in on the host. The file is overwritten in place when the parameters drift, so a junior admin who toggles accept_redirects=1 to debug a routing issue is automatically reverted on the next policy run. Exit code 0 indicates the new state is verified live in the kernel; non-zero surfaces a write or reload failure in Automox activity output.

ICMP hardening requirements

• Linux endpoint running a kernel with the sysctl interface and a writable /etc/sysctl.d/ directory (RHEL, CentOS, Rocky, Alma, Fedora, Debian, Ubuntu, SUSE)

• Root privileges for the Automox agent (the default agent context already meets this)

• sysctl and /sbin/sysctl --system available on PATH (present on every supported distribution by default)

• Compatible with workstations and servers, including hosts behind a corporate proxy or in air-gapped network segments (no external network calls are made)

• No conflicting drop-in in /etc/sysctl.d/ that sets accept_redirects or secure_redirects to 1; if one exists, remove or relocate it before scheduling this Worklet

Expected state after ICMP hardening

/etc/sysctl.d/ax_icmp_disable_redirect.conf exists on the endpoint, owned by root, with the four parameters set to 0. Running sysctl net.ipv4.conf.all.accept_redirects net.ipv4.conf.default.accept_redirects net.ipv4.conf.all.secure_redirects net.ipv4.conf.default.secure_redirects returns 0 for every key. The values persist across reboots because the drop-in is reloaded by systemd-sysctl at boot.

Validate the kernel state directly with cat /proc/sys/net/ipv4/conf/all/accept_redirects, which reads from the same in-memory tunable that ICMP processing checks. Re-run a Rapid7, Nessus, or Qualys scan against the host and confirm the ICMP redirect finding is cleared; for CIS evidence, capture the contents of /etc/sysctl.d/ax_icmp_disable_redirect.conf alongside the Automox activity log for the policy run. Subsequent evaluations report compliant without touching disk again, because the four sysctl reads already match the desired value.