Cisco and Nmap Dos

From: Lancashire, Andrew (LancashireAat_private)
Date: Tue Aug 31 1999 - 17:02:18 PDT

Next message: Alfred Huger: "I found this today and iam reporting it to you first!!! (fwd)"

Previous message: Aleph One: "Microsoft Security Bulletin (MS99-032)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I don't know if you've ever seen this before.  We ran nmap with ICMP
discover and standard tcp scan.  We ran the scan against the entire 10.0.0.0
network range. Although we were only looking for 2 ports, we found that the
RSM in our 5500 series (our default route) was  running out of memory and
had to be rebooted by our Network Services group multiple times in the 18
hour stretch it took to complete. One of the interesting things is that we
were only generating about 3-5 Mbs and the 5500 can pass Gigabits.   I have
not heard of this problem before.  We contacted Cisco and sent them the
details.  Below is the response to one of our engineers.

Andrew

-----Original Message-----
From:	khollis [SMTP:khollisat_private]
Sent:	Tuesday, August 31, 1999 7:59 AM
To:	wescotdat_private
Subject:	Regarding Case Number V44290

Hi Dave, as I recall, the symptom we had to work/troubleshoot with was the
router consumed lots of memory. Never heard about packets being dropped. So
it seems like we forwarded everything nmap sent to us. The thing to keep in
mind is that the router will dynamically allocate memory as necessary so
that it can keep up with the load provided to it. Although we did not know
nmap was running at the time, we noticed the memory consumed by the IP Input
process dropped from 40M+ to an acceptable level of (4-5M) after nmap was
shut down. This proves that the router need this much memory to process the
entire load generated by nmap.

I suspect nmap was doing much more than you've been able to calculate. It's
obvious that running nmap continuously for 18-19 hours caused this problem.
One possible explaination is constantly flooding the router w/64 byte
packets for this timeframe could have caused the router's memory to become
seriously fragmented. Also, I guess we can't tell, but another question
would be how many tcp sessions were requested/open on the router after this
timeframe?

Port scanners have a reputation of helping identify potential security
problems. However, they are also known to cause problems...

Hope this helps,
KennyH.

Next message: Alfred Huger: "I found this today and iam reporting it to you first!!! (fwd)"
Previous message: Aleph One: "Microsoft Security Bulletin (MS99-032)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:00:59 PDT