Security e-Series
1748080 Members
5233 Online
108758 Solutions
New Discussion

An unsolicited ICMP reply

 
SOLVED
Go to solution
31douglas
Frequent Visitor

An unsolicited ICMP reply

Why would some important computers on my network start sending ICMP replies an external IP address when there was never an ICMP Ping Request (echo)? Seeing 0 hits via any search mechanism for this specific scenario, thought we'd share our findings.

 

We searched in vain for something which would incite a reply where there was no echo. We knew when it started, we knew where it was trying to go, but finding out why was problematic. Network Monitor confirmed the packets were sourcing from the victims but will not reveal the process generating the traffic. Process Monitor is conspicuously silent during the time in question. Changes made to the file system around zulu were clean. A memory dump wasn't of assistance. Hashes of binaries were legitimate. Prefetch was benign. The interval of the echo reply was consistent. There are no matches for a multitude of string/word variants for obfuscating the target IP.

 

Rewording our searches reveals the article /t5/Systems-Management-OpenView-OP/ICMP-heartbeat/ where Drew Dimmick (THANK YOU) writes "OVO ... does implement an additional status monitoring capability based on a "heard from" (not polling) heartbeat monitor - the agents send icmp replies to the manager *unasked for* - the management server monitors if its heard from the node in the last x time and will interrogate the node with a direct ping & rpc call if it isn't heard from - this reduces the overhead of the status monitoring, as OVO will only actively poll nodes when they have not been heard from. Both OVOW and OVOU implement heartbeat polling with this approach (icmp reply) as its extremely network efficient and very low overhead on the receiving systems (tcp requests are many times more expensive)"

 

This helped us focus on the most recent install performed by another team of OVO. The suspicious activity and change were close enough. Performed a "net stop opcmsga" & the beacon ceases. After enabling logging we find in \Program Files\HP OpenView\data\log\trace_hang\ agentrc_xxxx.trc the smoking gun. "I_am_alive-pkg" logging "Sending ICMP reply" to prim.mgr , albeit WITH THE IP INVERSED. Address: 1.2.3.4 becomes Address: 4.3.2.1

 

So are we really the first people to have discovered that this mechanism is totally disfunctional?

Hope this is helpful for someone out there in Networking / Security.

2 REPLIES 2
Dennis Handly
Acclaimed Contributor

Re: An unsolicited ICMP response

It would be helpful to include the full URL to that post:

http://h30499.www3.hp.com/t5/Systems-Management-OpenView-OP/ICMP-heartbeat/m-p/3626930#M56990

 

You might want to give Drew a Kudos.  :-)

31douglas
Frequent Visitor
Solution

Re: An unsolicited ICMP reply

Agent version 11.13 with patch HFWIN_13044 resolves this issue.