IP Source Routing
Source routing is a feature of IP
whereby individual packets can specify routes. This feature is used in several
kinds of attacks. Cisco routers normally accept and process source routes.
Unless a network depends on source routing, it should be disabled on all
network routers in the network. Figure
shows how to
disable IP source routing.
Proxy ARP
Network hosts use the
Address Resolution Protocol (ARP) to translate network addresses into MAC
addresses. Normally, ARP transactions are confined to a particular LAN segment.
A Cisco router can act as an intermediary for ARP, responding to ARP queries on
selected interfaces and thus enabling transparent access between multiple LAN
segments. This service is called proxy ARP. Proxy ARP should be used only
between two LAN segments at the same trust level, and only when absolutely
necessary to support legacy network architectures.
Cisco routers perform
proxy ARP by default on all IP interfaces. Disable it on each interface where
it is not needed, even on interfaces that are currently idle, using the
interface configuration command no ip proxy-arp. Figure
shows
how to disable proxy ARP on an Ethernet interface.
IP Directed
Broadcast
Directed broadcasts permit a host on one LAN segment to
initiate a physical broadcast on a different LAN segment. This technique was
used in some old DoS attacks, and the default Cisco IOS configuration is to
reject directed broadcasts. Explicitly disable directed broadcasts on each
interface using the interface configuration command no ip
directed-broadcast
.
IP
Classless Routing
By default, a Cisco router will make an attempt to
route almost any IP packet. If a packet arrives addressed to a subnet of a
network with no default network route, then IOS will use IP classless routing
to forward the packet along the best available route. This feature is often not
needed. On routers where IP classless routing is not needed, disable it as
shown
.
IP
Unreachables, Redirects, Mask Replies
The Internet Control Message
Protocol (ICMP) supports IP traffic by relaying information about paths,
routes, and network conditions. Cisco routers automatically send ICMP messages
under a wide variety of conditions. Attackers for network mapping and diagnosis
commonly use three ICMP messages:
- Host unreachable

- Redirect

- Mask Reply

A complete list of ICMP message types are shown in Figure
.
Automatic generation of these messages should be disabled on all interfaces,
especially interfaces that are connected to untrusted networks.