Re: ICMP Timestamp Requests (440 Views)
Reply
Occasional Advisor
The_Doc_Man
Posts: 6
Registered: ‎03-30-2012
Message 1 of 4 (512 Views)
Accepted Solution

ICMP Timestamp Requests

I have some new Itaniums (rx2800 i2) running OpenVMS 8.4, with TCPIP Services 5.7 and recent patches for both.  We are running services SSH, SMTP, SNMP, NTP, and FTP service (the latter ONLY across a VPN).  IPSEC was available but we disabled it for our site.  It just gets in the way and we have no particular need for it anyway.  We are also running Legato/Networker for site backups (looks like RPC though we don't specifically enable RCP service), and we have ORACLE (Client only) installed, which uses an SQLNet port outbound.

 

This is a USA Dept. of Defense site, so we have to go through some security hoops.  One of our scans said it saw a packet of type "ICMP Timestamp Request" so at first we thought that was NTP.  However, we did some web searching and found that in general, NTP doesn't use that particular packet type.  So...

 

Does anyone know which protocols in the above configuration DO use ICMP Timestamp Request packets?  By any chance does the TCPIP$NTP system on OpenVMS use this kind of packet even though the web search suggests otherwise?

 

Security+ Certified; HP OpenVMS CSA (v8)
Honored Contributor
Hoff
Posts: 4,964
Registered: ‎01-29-2006
Message 2 of 4 (504 Views)

Re: ICMP Timestamp Requests

I'd stare at SNMP.

 

Occasional Advisor
The_Doc_Man
Posts: 6
Registered: ‎03-30-2012
Message 3 of 4 (457 Views)

Re: ICMP Timestamp Requests

Thanks, Hoff.  I'll pass that along to my guys on the Network Security team.  I'll also perhaps take a run at the RFC for SNMP to see what it uses..  That's a great starting point.

 

Security+ Certified; HP OpenVMS CSA (v8)
Occasional Advisor
The_Doc_Man
Posts: 6
Registered: ‎03-30-2012
Message 4 of 4 (440 Views)

Re: ICMP Timestamp Requests

[ Edited ]

Well, some bad news and some better news.

 

SNMP doesn't do it.  According to the RFC it has a TCP-class packet for this purpose, so doesn't need an ICMP packet.  I can't even find an RFC that seriously talks about this request other than describing its format.  I haven't found an RFC to admit using it.

 

The better news is that with some serious digging, we found a note that if you use eEYE scan products, there is a chance that the ICMP Timestamp Request "finding" is a false positive that would not actually elicit a response through any channel other than "localhost" as a partner.

 

Thanks for looking, though, Hoff.

 

Security+ Certified; HP OpenVMS CSA (v8)
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.