Bugtraq mailing list archives
Cisco and Nmap Dos
From: LancashireA () SUTTERHEALTH ORG (Lancashire, Andrew)
Date: Tue, 31 Aug 1999 17:02:18 -0700
I don't know if you've ever seen this before. We ran nmap with ICMP discover and standard tcp scan. We ran the scan against the entire 10.0.0.0 network range. Although we were only looking for 2 ports, we found that the RSM in our 5500 series (our default route) was running out of memory and had to be rebooted by our Network Services group multiple times in the 18 hour stretch it took to complete. One of the interesting things is that we were only generating about 3-5 Mbs and the 5500 can pass Gigabits. I have not heard of this problem before. We contacted Cisco and sent them the details. Below is the response to one of our engineers. Andrew -----Original Message----- From: khollis [SMTP:khollis () cisco com] Sent: Tuesday, August 31, 1999 7:59 AM To: wescotd () sutterhealth org Subject: Regarding Case Number V44290 Hi Dave, as I recall, the symptom we had to work/troubleshoot with was the router consumed lots of memory. Never heard about packets being dropped. So it seems like we forwarded everything nmap sent to us. The thing to keep in mind is that the router will dynamically allocate memory as necessary so that it can keep up with the load provided to it. Although we did not know nmap was running at the time, we noticed the memory consumed by the IP Input process dropped from 40M+ to an acceptable level of (4-5M) after nmap was shut down. This proves that the router need this much memory to process the entire load generated by nmap. I suspect nmap was doing much more than you've been able to calculate. It's obvious that running nmap continuously for 18-19 hours caused this problem. One possible explaination is constantly flooding the router w/64 byte packets for this timeframe could have caused the router's memory to become seriously fragmented. Also, I guess we can't tell, but another question would be how many tcp sessions were requested/open on the router after this timeframe? Port scanners have a reputation of helping identify potential security problems. However, they are also known to cause problems... Hope this helps, KennyH.
Current thread:
- Cisco and Nmap Dos Lancashire, Andrew (Aug 31)
- Re: Cisco and Nmap Dos Mikael Olsson (Sep 02)
- ProFTPD 1.2.0pre5 MacGyver (Sep 08)
- Re: Cisco and Nmap Dos Lisa Napier (Sep 08)
- 19 SCO 5.0.5+Skunware98 buffer overflows Brock Tellier (Sep 09)
- Re: Cisco and Nmap Dos Niklas Schiffler (Sep 02)
- IE 5.0 security vulnerabilities - ImportExportFavorites - at least creating and overwriting files, probably executing programs Georgi Guninski (Sep 09)
- <Possible follow-ups>
- Re: Cisco and Nmap Dos Travis Pugh (Sep 02)
- Re: Cisco and Nmap Dos Lancashire, Andrew (Sep 02)
- Re: Cisco and Nmap Dos Lisa Napier (Sep 07)
- Bindview Hackershield Password Eric Schultze (Sep 15)
(Thread continues...)
- Re: Cisco and Nmap Dos Mikael Olsson (Sep 02)