- Community Home
- >
- Networking
- >
- Security e-Series
- >
- An unsolicited ICMP reply
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-05-2014 04:55 AM - edited 02-13-2014 06:27 AM
02-05-2014 04:55 AM - edited 02-13-2014 06:27 AM
Why would some important computers on my network start sending ICMP replies an external IP address when there was never an ICMP Ping Request (echo)? Seeing 0 hits via any search mechanism for this specific scenario, thought we'd share our findings.
We searched in vain for something which would incite a reply where there was no echo. We knew when it started, we knew where it was trying to go, but finding out why was problematic. Network Monitor confirmed the packets were sourcing from the victims but will not reveal the process generating the traffic. Process Monitor is conspicuously silent during the time in question. Changes made to the file system around zulu were clean. A memory dump wasn't of assistance. Hashes of binaries were legitimate. Prefetch was benign. The interval of the echo reply was consistent. There are no matches for a multitude of string/word variants for obfuscating the target IP.
Rewording our searches reveals the article /t5/Systems-Management-OpenView-OP/ICMP-heartbeat/ where Drew Dimmick (THANK YOU) writes "OVO ... does implement an additional status monitoring capability based on a "heard from" (not polling) heartbeat monitor - the agents send icmp replies to the manager *unasked for* - the management server monitors if its heard from the node in the last x time and will interrogate the node with a direct ping & rpc call if it isn't heard from - this reduces the overhead of the status monitoring, as OVO will only actively poll nodes when they have not been heard from. Both OVOW and OVOU implement heartbeat polling with this approach (icmp reply) as its extremely network efficient and very low overhead on the receiving systems (tcp requests are many times more expensive)"
This helped us focus on the most recent install performed by another team of OVO. The suspicious activity and change were close enough. Performed a "net stop opcmsga" & the beacon ceases. After enabling logging we find in \Program Files\HP OpenView\data\log\trace_hang\ agentrc_xxxx.trc the smoking gun. "I_am_alive-pkg" logging "Sending ICMP reply" to prim.mgr , albeit WITH THE IP INVERSED. Address: 1.2.3.4 becomes Address: 4.3.2.1
So are we really the first people to have discovered that this mechanism is totally disfunctional?
Hope this is helpful for someone out there in Networking / Security.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2014 04:57 PM - edited 02-08-2014 04:59 PM
02-08-2014 04:57 PM - edited 02-08-2014 04:59 PM
Re: An unsolicited ICMP response
It would be helpful to include the full URL to that post:
http://h30499.www3.hp.com/t5/Systems-Management-OpenView-OP/ICMP-heartbeat/m-p/3626930#M56990
You might want to give Drew a Kudos. :-)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-20-2014 11:47 PM