Another nmap-induced denial-of-service is against many machines inetd's
when doing a TCP connect() scan (-sT) with the result of killing the inetd
process. I've found that Digital Unix and Irix have been vulnerable to
this. I cannot reliably reproduce the problem[*] and have not tested it
against xinetd.
The work-around for the nmap user is to never use connect() scans, and to
explicitly use -sS (or one of the other stealth scans) in conjunction with
-O. There is no workaround for the system admin of the scanned system
that I know of, other than automated monitoring for crashed inetds (I'd
probably use netcat connecting to an inetd service like TCP daytime in a
loop with appropriate logic and an appropriate response action...).
[*] I have confirmed that it happens in response to a connect() scan and
not any other TCP scan type and that it sometimes occurs immediately
following a connect() scan when the inetd had been verified
immediately previously to be running fine.
On Tue, 22 Dec 1998, Olaf Selke wrote:
> According to Sherwood Botsford:
> >
> > On Tue, 15 Dec 1998, Fyodor wrote:
> >
> > = I have just released version 2.00 of nmap, a program for network
> > = security auditing and general Internet exploration. Almost all of the
> > = core code has been rewritten for better performance and accuracy, and
> > = many new features have been added. Here are some of its current
> > = capabilities:
> >
> > Hi. Any idea why most of my hosts running HPUX 10.10 crashed
> > during a local network scan with
> > nmap -O
>
> I reproducible crashed Cisco routers running IOS version 12.0(1)
> with nmap -sU.
>
> Olaf
> --
> Olaf Selke, olaf.selkeat_private, voice +49 5241 80-7069
--
Lamont Granquist lamontgat_private
Dept. of Molecular Biotechnology (206)616-5735 fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontgat_private | pgp -fka
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:25:43 PDT