Re: IMC spoofing IP Addresses ? (5136 Views)
Reply
Honored Contributor
Peter_Debruyne
Posts: 315
Registered: ‎03-21-2011
Message 1 of 3 (5,140 Views)

IMC spoofing IP Addresses ?

Hi,

I have a customer who is monitoring several HP/Avaya switches with IMC. The switches are on remote routed subnets, some simply routed, other routed by firewalls.
In the firewall logs however, they have noticed IP spoofing from the IMC subnet.
After analysis and packet traces, it appeared that IMC itself is not only trying the send icmp echo requests with its own IP address, but also with a source IP address from the subnet of the managed devices.
For example:  IMC has IP 10.1.1.101/24, the remote device has IP 10.1.2.11/24, connected by firewall/router. With a wireshark trace on the IMC, we see IMC is sending icmp echo request with source IP e.g.10.1.2.253 to the 10.1.2.11 device. We see similar behavior for devices in other subnets, e.g. for switch with IP 10.1.3.11/24, IMC would use source IP 10.1.3.254.
The trace actually shows that the source MAC address of the device is the IMC server.

We have already disabled the dismanping on the IMC configuration.
This is an IMC Enterprise installation on Windows Server on an ESX host (trial license).

Of course the firewall team does not like this, since they get plenty of log messages about ip spoofing.
Has anyone experienced this already, does anyone know why IMC would be doing this ?

Thank you,Peter.

Please use plain text.
Frequent Advisor
Neelixx
Posts: 36
Registered: ‎03-17-2012
Message 2 of 3 (5,138 Views)

Re: IMC spoofing IP Addresses ?

Very strange. I'm sure you have already checked, whether there are multiple IP Addresses assigned to the iMC host or not?

-------
Aaron Paxson
@Neelixx
http://myteneo.net | http://netopscommunity.net
Please use plain text.
Honored Contributor
Peter_Debruyne
Posts: 315
Registered: ‎03-21-2011
Message 3 of 3 (5,136 Views)

Re: IMC spoofing IP Addresses ?

Hi Aaron,

 

Thanks for your reply (I have also posted this request on http://www.netopscommunity.net , I will sync the outcome)

 

Yes, only 1 IP assigned.

It really seems to be looping through all possible 10.0.0.0/8 subnets (making up /24 subnet himself) and sending with some random source subnet IP the echo requests (but always based on an IP of a managed host).

 

Could it be trying to discover hosts with a mismatched subnet mask ? (the remote host will be sending an arp request, so that can/could be picked up by IMC or another routing device (and then queried by IMC via snmp arp tables)) ?

 

It could be doing smart things, but I do not understand it, and more important, I would need to know how to turn it off ...

 

Best regards,Peter

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation