- Community Home
- >
- Networking
- >
- IMC
- >
- IMC spoofing IP Addresses ?
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-21-2013 08:23 AM
тАО01-21-2013 08:23 AM
IMC spoofing IP Addresses ?
Hi,
I have a customer who is monitoring several HP/Avaya switches with IMC. The switches are on remote routed subnets, some simply routed, other routed by firewalls.
In the firewall logs however, they have noticed IP spoofing from the IMC subnet.
After analysis and packet traces, it appeared that IMC itself is not only trying the send icmp echo requests with its own IP address, but also with a source IP address from the subnet of the managed devices.
For example: IMC has IP 10.1.1.101/24, the remote device has IP 10.1.2.11/24, connected by firewall/router. With a wireshark trace on the IMC, we see IMC is sending icmp echo request with source IP e.g.10.1.2.253 to the 10.1.2.11 device. We see similar behavior for devices in other subnets, e.g. for switch with IP 10.1.3.11/24, IMC would use source IP 10.1.3.254.
The trace actually shows that the source MAC address of the device is the IMC server.
We have already disabled the dismanping on the IMC configuration.
This is an IMC Enterprise installation on Windows Server on an ESX host (trial license).
Of course the firewall team does not like this, since they get plenty of log messages about ip spoofing.
Has anyone experienced this already, does anyone know why IMC would be doing this ?
Thank you,Peter.
- Tags:
- firewall
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-21-2013 08:30 AM
тАО01-21-2013 08:30 AM
Re: IMC spoofing IP Addresses ?
Aaron Paxson
@Neelixx
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-21-2013 08:41 AM
тАО01-21-2013 08:41 AM
Re: IMC spoofing IP Addresses ?
Hi Aaron,
Thanks for your reply (I have also posted this request on http://www.netopscommunity.net , I will sync the outcome)
Yes, only 1 IP assigned.
It really seems to be looping through all possible 10.0.0.0/8 subnets (making up /24 subnet himself) and sending with some random source subnet IP the echo requests (but always based on an IP of a managed host).
Could it be trying to discover hosts with a mismatched subnet mask ? (the remote host will be sending an arp request, so that can/could be picked up by IMC or another routing device (and then queried by IMC via snmp arp tables)) ?
It could be doing smart things, but I do not understand it, and more important, I would need to know how to turn it off ...
Best regards,Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-15-2021 04:54 AM
тАО06-15-2021 04:54 AM
Re: IMC spoofing IP Addresses ?
Hi,
I've stumbled across the same problem today. We use E0705P10.
IMC tries to ping many different switches (probabliy all) with different IP's from the switches subnets.
Eg.: Switch IP 10.21.1.254/24, here IMC uses 10.21.1..249, but from its own subnet 10.1.5.0/24. Our firewall doesn't like that and blocks it.
How to stop this behaviour? And why is it doing that?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-15-2021 05:06 AM
тАО06-15-2021 05:06 AM
Re: IMC spoofing IP Addresses ?
Hello,
This sounds like the "Forged Ping Packets" feature of iMC that helps to provide an accurate network topology, by forcing devices to keep their ARP tables updated using these kinds of pings. You should be able to turn it off via the System Settings -> Layer 2 Topology Configuration -> set Enable Forged Ping Packets to No.
Justin
Working @ HPE
