Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The system must not respond to ICMPv6 echo requests sent to a broadcast address.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-23972 | GEN007950 | SV-29786r1_rule | ECSC-1 | Medium |
| Description |
|---|
| Responding to broadcast ICMP echo requests facilitates network mapping and provides a vector for amplification attacks. |
| STIG | Date |
|---|---|
| HP-UX 11.31 Security Technical Implementation Guide | 2018-03-01 |
Details
| Check Text ( C-36757r1_chk ) |
|---|
| Determine if the system blocks inbound IPv6 ICMP echo-requests sent to the all-hosts multicast address. Procedure: # ipfstat -6 -i Check for a rule such as: block in quick proto icmpv6 from any to ff02::1 icmpv6-type 128 If a rule blocking inbound IPv6 ICMP echo-requests sent to the all-hosts multicast address does not exist, this is a finding. |
| Fix Text (F-32141r1_fix) |
|---|
| Add an IPF rule to block inbound IPv6 ICMP ECHO_REQUEST packets sent to the all-hosts multicast address. Edit /etc/opt/ipf/ipf6.conf and add a rule such as: block in quick proto icmpv6 from any to ff02::1 icmpv6-type 128 Reload the IPF rules. # ipf -6 -Fa -A -f /etc/opt/ipf/ipf6.conf |