HPE Community
Operating System - OpenVMS
1752703 Members
5621 Online
108789 Solutions
New Discussion

ICMP Timestamp Requests

 
SOLVED
Go to solution
The_Doc_Man
Advisor

‎03-30-2012 06:21 AM

‎03-30-2012 06:21 AM

ICMP Timestamp Requests

I have some new Itaniums (rx2800 i2) running OpenVMS 8.4, with TCPIP Services 5.7 and recent patches for both.  We are running services SSH, SMTP, SNMP, NTP, and FTP service (the latter ONLY across a VPN).  IPSEC was available but we disabled it for our site.  It just gets in the way and we have no particular need for it anyway.  We are also running Legato/Networker for site backups (looks like RPC though we don't specifically enable RCP service), and we have ORACLE (Client only) installed, which uses an SQLNet port outbound.

 

This is a USA Dept. of Defense site, so we have to go through some security hoops.  One of our scans said it saw a packet of type "ICMP Timestamp Request" so at first we thought that was NTP.  However, we did some web searching and found that in general, NTP doesn't use that particular packet type.  So...

 

Does anyone know which protocols in the above configuration DO use ICMP Timestamp Request packets?  By any chance does the TCPIP$NTP system on OpenVMS use this kind of packet even though the web search suggests otherwise?

 

Security+ Certified; HP OpenVMS CSA (v8)
0 Kudos
Reply
3 REPLIES 3
Hoff
Honored Contributor

‎03-30-2012 07:34 AM

‎03-30-2012 07:34 AM

Re: ICMP Timestamp Requests

I'd stare at SNMP.

 

0 Kudos
Reply
The_Doc_Man
Advisor

‎04-02-2012 11:56 AM

‎04-02-2012 11:56 AM

Re: ICMP Timestamp Requests

Thanks, Hoff.  I'll pass that along to my guys on the Network Security team.  I'll also perhaps take a run at the RFC for SNMP to see what it uses..  That's a great starting point.

 

Security+ Certified; HP OpenVMS CSA (v8)
0 Kudos
Reply
The_Doc_Man
Advisor

‎04-03-2012 10:11 AM - edited ‎04-03-2012 10:12 AM

‎04-03-2012 10:11 AM - edited ‎04-03-2012 10:12 AM

Solution

Re: ICMP Timestamp Requests

Well, some bad news and some better news.

 

SNMP doesn't do it.  According to the RFC it has a TCP-class packet for this purpose, so doesn't need an ICMP packet.  I can't even find an RFC that seriously talks about this request other than describing its format.  I haven't found an RFC to admit using it.

 

The better news is that with some serious digging, we found a note that if you use eEYE scan products, there is a chance that the ICMP Timestamp Request "finding" is a false positive that would not actually elicit a response through any channel other than "localhost" as a partner.

 

Thanks for looking, though, Hoff.

 

Security+ Certified; HP OpenVMS CSA (v8)
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.