RE: Nmap issues...? or router?

From: Ben Tetu-Pappas (bpappasat_private)
Date: Tue Oct 09 2001 - 14:20:24 PDT

Next message: Josh Daymont: "Re: Pen-Testing Lotus Notes/Domino"

Previous message: Mike Sues: "Re: Accessing registry through command line"
Maybe in reply to: bluefur0r bluefur0r: "Nmap issues...? or router?"
Next in thread: William McVey: "Re: Nmap issues...? or router?"
Next in thread: Joe Dauncey: "RE: Nmap issues...? or router?"
Reply: William McVey: "Re: Nmap issues...? or router?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is a known cisco bug. Their documentation on the bug says something
like 'port scanning tools can create a situation where the router CPU
utilization goes to 100%'. I don't recall if there is an IOS upgrade to fix
this, so call Cisco and ask or go look through their online documentation to
see if you IOS is possibly affected.

ben tetu-pappas 

-----Original Message-----
From: Josha Bronson
To: bluefur0r bluefur0r
Cc: pen-testat_private
Sent: 10/7/2001 8:48 PM
Subject: Re: Nmap issues...? or router?

On Sun, Oct 07, 2001 at 02:39:31AM -0000, bluefur0r bluefur0r said:
> After just completeing an audit for a company that has a DS-3
> connection (shared) and a cisco router (2015), One of the first issues
> that was found was this: When nmaping using -sS and all ports, 1 nmap
> scan nmaping 1 host at a time appeared to completely destroy their
> bandwidth... Has anyone heard of this? Could this be a Router or ISP
> problem??? It took very long to complete because i needed to use the
> -T Polite option. I'm just curious if anyone else has ever encountered
> nmap using up all network resources for such a high volume connection.
> Any help would be appreciated so this never happens again. *Luckily I
> started after hours*
> blue

Yes, I've seen this before. During and internal audit, one laptop
scaning with nmap brought a LAN router to 100% CPU utilization. I think
that the router had to be rebooted, but I can't remember. The router was
a Cisco, of the 7000 series I believe.

Sorry for the lack of facts, it was a while ago...

I've meant to look into it again and try to pin down exactly what is
going on here, but there never really seems to be a good time to nail a
router that is in use, according to management.

I've also spoken about this with a few other folks who have seen the
same thing.

Anyway, someone with spare time and a test network with a Cisco router
should probably try and figure out what causes this. :)

-- 
josha.bronson(aka->dmuz) >> dmuzat_private
networks/systems/security && CCNA, RHCE 
josha.net || dmuz.angrypacket.com


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Josh Daymont: "Re: Pen-Testing Lotus Notes/Domino"
Previous message: Mike Sues: "Re: Accessing registry through command line"
Maybe in reply to: bluefur0r bluefur0r: "Nmap issues...? or router?"
Next in thread: William McVey: "Re: Nmap issues...? or router?"
Next in thread: Joe Dauncey: "RE: Nmap issues...? or router?"
Reply: William McVey: "Re: Nmap issues...? or router?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 09 2001 - 15:28:58 PDT