HPE Community
Operating System - HP-UX
1752284 Members
4906 Online
108786 Solutions
New Discussion юеВ

Re: Too much of ICMP request

 
SOLVED
Go to solution
Prathap Krishna
Occasional Advisor

тАО02-25-2010 09:41 PM

тАО02-25-2010 09:41 PM

Too much of ICMP request

There is more then 3000 ICMP request in one minutes going from a database lan network interface to default gateway . We are not able to identify from which process or from which job its generating. Can any one pls help on this..

Its a HPUX 11.31 os
0 Kudos
Reply
7 REPLIES 7
Turgay Cavdar
Honored Contributor

тАО02-25-2010 10:35 PM

тАО02-25-2010 10:35 PM

Re: Too much of ICMP request

Hi,
By default hp-ux servers perform a dead gateway detection. This ICMP packages may result from this feature. To see the current value of ip_ire_gw_probe write:

ndd -get /dev/tcp ip_ire_gw_probe

If you see the value 1 then hpux is sending ICMP packeges to probe gateway to see they are alive or not.

If you dont want you can turn off ip_ire_gw_probe:

ndd -set /dev/tcp ip_ire_gw_probe 0
0 Kudos
Reply
Prathap Krishna
Occasional Advisor

тАО02-25-2010 10:53 PM

тАО02-25-2010 10:53 PM

Re: Too much of ICMP request

the o/p of the ndd result is 1. Also it is enabled at firewall as well. We need to have this enabled. So please let me know is there any way to find why at n/w switch side they are receiving many icmp requests.
0 Kudos
Reply
Kapil Jha
Honored Contributor

тАО02-26-2010 12:37 AM

тАО02-26-2010 12:37 AM

Solution

Re: Too much of ICMP request

Hey Prathap,

What is the value is ip_ire_gw_probe_interval

You may like to refer
http://docs.hp.com/en/11890/perf-whitepaper-tcpip-v1_1.pdf
Page 56-67.

Lemme know the value fo the above parameter.

BR,
Kapil+
I am in this small bowl, I wane see the real world......
Reply
rick jones
Honored Contributor

тАО02-26-2010 05:40 PM

тАО02-26-2010 05:40 PM

Re: Too much of ICMP request

Someone would have had to have really badly botched setting the ip_ire_gw_probe_interval to get 3000 of them a minute. That is 50 of them a second, which means the interval would have to be 20 milliseconds.

On my 11.31 system (and my 11.11 system) the default setting appears to be 180000 milliseconds:

# ndd /dev/ip ip_ire_gw_probe_interval
180000

which is three minutes.

I believe this is what an ICMP echo request for the ire gw probe looks like in tcpdump:

17:34:56.220113 tardy.cup.hp.com > cup47bronze-gw.cup.hp.com: icmp: echo request (DF)
0x0000 4500 0040 d101 4000 ff01 a131 1059 f4d5 E..@..@....1.Y..
0x0010 1059 f401 0800 8f53 1234 5678 0000 0000 .Y.....S.4Vx....
0x0020 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ................

If it is someone running ping commands it will probably look more like:

17:34:13.312681 cup47bronze-gw.cup.hp.com > tardy.cup.hp.com: icmp: echo reply (DF)
0x0000 4500 0054 d100 4000 ff01 a11e 1059 f401 E..T..@......Y..
0x0010 1059 f4d5 0000 8dff 033e 0001 4b88 7695 .Y.......>..K.v.
0x0020 0004 c19c 0809 0a0b 0c0d 0e0f 1011 1213 ................
0x0030 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050 3435 3637 4567

futher the minimum setting for ip_ire_gw_probe_interval is 15000 milliseconds or 15 seconds.

I suppose if someone is motivated (it is always best for actual customers to ask) it wouldn't be a bad idea to submit an enhancement request against the transport asking it include some "text" in its ICMP echo requests for ire gw probes - something as simple as "IRE PROBE" would suffice - then a tcpudmp -X output such as the above would show it.
there is no rest for the wicked yet the virtuous have no pillows
0 Kudos
Reply
Michael Steele_2
Honored Contributor

тАО02-27-2010 07:19 AM

тАО02-27-2010 07:19 AM

Re: Too much of ICMP request

Hi

Besides the above, this is also a classic denital of service attack, (* ping them to death attack *), so you might want to down load a copy of wireshark for you PC to analyze where this traffic is comming from. There is also tcpdump, standard in linux systems and free ware for HP-UX, snoop, standard in solaris, and other network 'sniffers' around.
Support Fatherhood - Stop Family Law
0 Kudos
Reply
Kapil Jha
Honored Contributor

тАО02-28-2010 06:58 PM

тАО02-28-2010 06:58 PM

Re: Too much of ICMP request

quite possible somebody trying to eavesdropping, but as you said ping request is from server to gateway, how you got it from network team or from some tools as suggest by Michael.

What about the parameter value?

BR,
Kapil+
I am in this small bowl, I wane see the real world......
0 Kudos
Reply
rick jones
Honored Contributor

тАО03-01-2010 09:53 AM

тАО03-01-2010 09:53 AM

Re: Too much of ICMP request

I suppose it would be good to cross the i's and dot the t's and check the value of ip_ire_gw_probe_interval, but since the minimum value is three minutes, and these ICMP requests are happening every 20 milliseconds the chances of (m)any of these being from gateway probes is pretty minimal.
there is no rest for the wicked yet the virtuous have no pillows
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.