No IP-forwarding
| Severity | Exploitability | Providers | Categories |
|---|---|---|---|
| HIGH | HIGH | Google Cloud Provider | NETWORK |
Description
IP forwarding enables packet to be sent to multiple networks. Most of the time it is used for routers. In other situation it is not advised to allow IP forwarding.
Disabling IP forwarding makes the kernel check packets destination and source. The kernel then discards packet with a destination not reachable by the package's source. Therefore, this ensures packets remain in their respective instance network.
Note that IP forwarding is now disabled in the default GCP configuration.
Impact
| Potential data exposure | Visible in logs | User interaction required | Privileges required |
|---|---|---|---|
| True | True | False | False |
When IP forwarding is enabled, an attacker can route packets through host and may bypass firewalls and routers. This can lead to Distributed Denial of Service (DDoS) or unauthorized access to instance.
Remediation guidelines
Update the canIpForward instance property in the instance Networking section.
References
Was this page helpful?
