At 03:57 PM 10/2/2002 -0500, Jonathan G. Lampe wrote: >Unisys "Clearpath" mainframes are very sensitive to the probes of nmap and >similar programs. Basically, by only port-scanning (not even >fingerprinting), you can cause the entire machine to seize up. (Yes, the >whole machine...not just a job or the TCP/IP device.) > >The problem may be occurring because the host fires up a job to log each >incomplete TCP handshake - other people have suggested a problem with the >TCP/IP stack on the iron, but I really don't know for sure. Wow, and I thought I was the only one who experienced this. I ran a quick Superscan (Foundstone) against a Clearpath subnet one time, and within an hour was contacted by the admin for a "possible security issue". This was about the 4th time I had port scanned that network, only this time one of the operations folks had notices a huge spike in resource utilization. The problem I observed was that the system seems to run something like inetd in which it fires up a process when something connects to the port, instead of running network processes in a daemon mode. The spike happened because so many services were configured, and all the ports were hit within a few seconds. This caused what I call a "hunka hunka burnin' processes" to fire up all at once. Depending on the size and configuration of the box you could easily max out system resources, and crash the box. Maybe some Clearpath experts can comment on this? Of course the admin's response was "new rule, no portscanning." My response was "secure your box". From what I've seen, most Clearpath admins don't do much locking down on those boxes, because "mainframes are secure". If you want to see some really scary stuff, start poking around SNMP and see what information you can get ; ) -Mike
This archive was generated by hypermail 2b30 : Sat Oct 05 2002 - 11:03:09 PDT