Re: Port scan causing system crashes

From: Clem Skorupka (ragnor@mitre.org)
Date: Thu Jun 12 2003 - 11:55:26 EDT


I had a case where an rpc scan using nessus (I forget the particular module or if it was the nmap precursor scan, this was a couple of years ago) against some large range of ports knocked out an allegro-based embedded web server on a network switch. It didn't crash this particular switch (though one had to reboot the switch in order to bring back the web interface).

Clem Skorupka
Lead INFOSEC Scientist
The MITRE Corporation

"Whiteside, Larry [contractor]" wrote:

> I have seen this on numerous occasions. Mainly on Unix or AIX systems and mainframes. It is the way they handle the number of invalid tcp packet request. For each invalid tcp port that is probed, some AIX/Unix systems create a system message that takes a little bit more of the processor.
>
> When you figure that there may be a few hundred request per second (depending on the scanner), then the system processor can quickly become overburdened. I would monitor that during the scan. Otherwise, I would monitor the system to see what processes get overwhelmed during a tcp scan. At least one of the processes on the system is going to increase. That may be your culprit.
>
> Hope this helps.
>
> L
> ***************************
> Larry Whiteside Jr.
> Sr. Security Engineer
>
> -----Original Message-----
> From: steve.x.jones@royalmail.com [mailto:steve.x.jones@royalmail.com]
> Sent: Thursday, June 12, 2003 7:23 AM
> To: pen-test@securityfocus.com
> Subject: Port scan causing system crashes
>
> Hello
>
> Please can you help? Has any-one else out there had issues with NMAP port scans
> (or any other port scanner) causing systems to crash?
>
> I use Nessus to baseline the security of our systems and have twice had problems
> caused by the NMAP port scan on clustered unix boxes running our enterprise
> applications. NOTE - it was the initial port scan that caused the problems, not
> the subsequent vulnerability assessment.
> I've done a quick Google search and found confirmation for one of the systems -
> BUGTRAQ Vulnerability 3358, "IBM HACMP Port Scan Denial of Service Vulnerability",
> the other was a bespoke app running on some HP UX boxes.
>
> Does any-one know of other systems that fall over with a simple port scan?
>
> Up til now I've been running port scans happily across our subnets to look for
> rogue FTP, SMTP, HTTP etc, obviously I'll have to take more care now...
>
> Thanks in advance for any help.
>
> Steve
>
> This email and any attachments are confidential and intended for the addressee
> only. If you are not the named recipient, you must not use, disclose, reproduce,
> copy or distribute the contents of this communication. If you have received this
> in error, please contact the sender and then delete this email from your system.
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------

--
---------------------------------------------------------------------------
----------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:34 EDT