HPE Community
IMC
1752618 Members
4742 Online
108788 Solutions
New Discussion юеВ

IMC spoofing IP Addresses ?

 
Peter_Debruyne
Honored Contributor

тАО01-21-2013 08:23 AM

тАО01-21-2013 08:23 AM

IMC spoofing IP Addresses ?

Hi,

I have a customer who is monitoring several HP/Avaya switches with IMC. The switches are on remote routed subnets, some simply routed, other routed by firewalls.
In the firewall logs however, they have noticed IP spoofing from the IMC subnet.
After analysis and packet traces, it appeared that IMC itself is not only trying the send icmp echo requests with its own IP address, but also with a source IP address from the subnet of the managed devices.
For example:  IMC has IP 10.1.1.101/24, the remote device has IP 10.1.2.11/24, connected by firewall/router. With a wireshark trace on the IMC, we see IMC is sending icmp echo request with source IP e.g.10.1.2.253 to the 10.1.2.11 device. We see similar behavior for devices in other subnets, e.g. for switch with IP 10.1.3.11/24, IMC would use source IP 10.1.3.254.
The trace actually shows that the source MAC address of the device is the IMC server.

We have already disabled the dismanping on the IMC configuration.
This is an IMC Enterprise installation on Windows Server on an ESX host (trial license).

Of course the firewall team does not like this, since they get plenty of log messages about ip spoofing.
Has anyone experienced this already, does anyone know why IMC would be doing this ?

Thank you,Peter.

0 Kudos
4 REPLIES 4
Neelixx
Frequent Advisor

тАО01-21-2013 08:30 AM

тАО01-21-2013 08:30 AM

Re: IMC spoofing IP Addresses ?

Very strange. I'm sure you have already checked, whether there are multiple IP Addresses assigned to the iMC host or not?

-------
Aaron Paxson
@Neelixx
0 Kudos
Peter_Debruyne
Honored Contributor

тАО01-21-2013 08:41 AM

тАО01-21-2013 08:41 AM

Re: IMC spoofing IP Addresses ?

Hi Aaron,

 

Thanks for your reply (I have also posted this request on http://www.netopscommunity.net , I will sync the outcome)

 

Yes, only 1 IP assigned.

It really seems to be looping through all possible 10.0.0.0/8 subnets (making up /24 subnet himself) and sending with some random source subnet IP the echo requests (but always based on an IP of a managed host).

 

Could it be trying to discover hosts with a mismatched subnet mask ? (the remote host will be sending an arp request, so that can/could be picked up by IMC or another routing device (and then queried by IMC via snmp arp tables)) ?

 

It could be doing smart things, but I do not understand it, and more important, I would need to know how to turn it off ...

 

Best regards,Peter

0 Kudos
khoh
Senior Member

тАО06-15-2021 04:54 AM

тАО06-15-2021 04:54 AM

Re: IMC spoofing IP Addresses ?

Hi,

I've stumbled across the same problem today. We use E0705P10.
IMC tries to ping many different switches (probabliy all) with different IP's from the switches subnets.

Eg.: Switch IP 10.21.1.254/24, here IMC uses 10.21.1..249, but from its own subnet 10.1.5.0/24. Our firewall doesn't like  that and blocks it.

How to stop this behaviour? And why is it doing that?

0 Kudos
jguse
HPE Pro

тАО06-15-2021 05:06 AM

тАО06-15-2021 05:06 AM

Re: IMC spoofing IP Addresses ?

Hello,

This sounds like the "Forged Ping Packets" feature of iMC that helps to provide an accurate network topology, by forcing devices to keep their ARP tables updated using these kinds of pings. You should be able to turn it off via the System Settings -> Layer 2 Topology Configuration -> set Enable Forged Ping Packets to No.

Best regards,
Justin

Working @ HPE
Accept or Kudo
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.