Unisys "Clearpath" mainframes are very sensitive to the probes of nmap and similar programs. Basically, by only port-scanning (not even fingerprinting), you can cause the entire machine to seize up. (Yes, the whole machine...not just a job or the TCP/IP device.) The problem may be occurring because the host fires up a job to log each incomplete TCP handshake - other people have suggested a problem with the TCP/IP stack on the iron, but I really don't know for sure. I know people might think that I am just DOS'ing the machine, but I got this to happen with "nmap -T Normal" and it happens even easier at higher speeds. If I do the same scans against Windows, *nix, VAX, or any other type of TCP/IP devices I can find, the target machine continues to respond after the scan. (Even on some 20mhz DOS machines running a custom build of TCP/IP!) It's only the Clearpaths which seem to nose-dive. Lest you think I am complaining about a problem on a single machine, let me assure you I have seen this happen three different times at three different locations (2 financial data centers and 1 bank) on three different machines. I wrote this report after another security researcher mentioned privately to me that he observed the same thing. So...what's my advice? Don't use nmap or other port scanners against a Clearpath - it will probably be fatal. Say hello to my little friend: "nmapnt 10.0.0.8 -p 1-1023 -T Normal" (If that doesn't work, make it less polite. Watch the "SPO" for added fun.) * * * Vendor notification Unisys field engineers have been notified of each occurrence at the various sites. (I saw my first one go down in October 2001, saw the third do it about a week ago. All were on current releases.) Also notified Fyodor (of nmap) and submitted the "Unisys Clearpath NX" fingerprints I had.
This archive was generated by hypermail 2b30 : Wed Oct 02 2002 - 16:02:23 PDT