How to remediate – IP Protocols Scan

Contents

1. Introduction

This plugin detects IP Protocols Scan, which identifies the protocols supported by a remote system’s network stack. This information can be used by attackers to fingerprint the target and identify potential vulnerabilities in specific protocols. Systems with many enabled protocols may have a larger attack surface. A successful exploit could lead to information disclosure or denial of service.

2. Technical Explanation

The vulnerability lies in exposing which IP protocols are supported by the system. Attackers can use this knowledge to target specific, potentially vulnerable protocols. There is no CVE associated with simply *detecting* protocol support; however, vulnerabilities exist within individual protocols themselves. An attacker could scan a network for systems supporting Protocol X and then attempt to exploit a known flaw in that protocol on those targets. Affected systems include any device running an IP stack, such as servers, workstations, routers, and firewalls.

Root cause: The system advertises its supported protocols over the network.
Exploit mechanism: An attacker sends probes to discover supported protocols, then attempts exploits specific to those protocols. For example, an attacker might identify support for ICMP and attempt a ping flood attack.
Scope: All systems running TCP/IP are potentially affected.

3. Detection and Assessment

You can confirm protocol support using network scanning tools or by examining the system’s configuration. A quick check involves listing active network interfaces, while a thorough method uses packet capture to identify advertised protocols.

Quick checks: Use `ipconfig /all` (Windows) or `netstat -a` (Linux/macOS) to view network interface details and potentially exposed ports.
Scanning: Nmap can be used with the `-sP` option for a basic scan, but more detailed protocol detection requires specific script options (e.g., `nmap –script ip-protocols`). These are examples only.
Logs and evidence: Network traffic captures using tools like Wireshark will show advertised protocols in the IP headers of packets.

netstat -a

4. Solution / Remediation Steps

Reducing the number of enabled IP protocols can minimize the attack surface. Disable any unused or unnecessary protocols. Only include steps that apply to this vulnerability.

4.1 Preparation

Dependencies: Ensure you have administrator access to the system. Roll back plan: Re-enable any disabled protocols if issues arise.
Change window needs: Coordinate with network administrators, especially in production environments.

4.2 Implementation

Step 1: Identify unused IP protocols using `netstat -a` or similar tools.
Step 2: Disable unnecessary protocols via the operating system’s networking configuration (see below for examples).
Step 3: Restart network services to apply changes.

4.3 Config or Code Example

Before

# Example Linux /proc/sys/net/ipv4/conf/all/disable_ipforward = 0 (IP forwarding enabled)

After

# Example Linux /proc/sys/net/ipv4/conf/all/disable_ipforward = 1 (IP forwarding disabled - if not needed)

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence. If a practice does not apply, do not include it.

Practice 1: Principle of Least Privilege – disable unused network protocols to reduce the attack surface.

4.5 Automation (Optional)

# Example Bash script to disable IP forwarding on Linux systems:
# sudo sysctl -w net.ipv4.ip_forward=0

5. Verification / Validation

Confirm the fix by re-scanning for supported protocols and verifying that unnecessary ones are no longer advertised. A simple service smoke test ensures basic network connectivity remains functional.

Post-fix check: Run `netstat -a` again to confirm disabled protocols are no longer listed.
Re-test: Re-run the Nmap scan with `–script ip-protocols` and verify that fewer protocols are detected.
Smoke test: Verify basic network connectivity by pinging a known host or accessing a web page.
Monitoring: Monitor network traffic for unexpected protocol advertisements using Wireshark or similar tools. This is an example only.

netstat -a

6. Preventive Measures and Monitoring

Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.

Baselines: Update security baselines or policies to include a list of approved IP protocols for each system type.
Pipelines: Incorporate network configuration checks into CI/CD pipelines to prevent the accidental enabling of unnecessary protocols.
Asset and patch process: Regularly review network configurations as part of an asset management program.

7. Risks, Side Effects, and Roll Back

Risk or side effect 1: Disabling a required protocol may break network functionality.
Risk or side effect 2: Incorrect configuration could lead to connectivity issues.
Roll back: Re-enable any disabled protocols via the operating system’s networking configuration and restart network services.

8. References and Resources

Vendor advisory or bulletin: Not applicable for protocol detection itself.
NVD or CVE entry: Not applicable for protocol detection itself.
Product or platform documentation relevant to the fix: http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

Updated on December 27, 2025

Was this article helpful?

Yes No