Bugtraq mailing list archives
Re: Cisco and Nmap Dos
From: tpugh () BR20-EXCHA CONRES COM (Travis Pugh)
Date: Thu, 2 Sep 1999 07:57:44 -0400
I just finished running CyberCop and nmap against a smaller range (192.168.0.0) on a cat 5500 w/RSM and didn't notice any memory issues on the RSM. Perhaps it is just the traffic generated by scanning the entire /8 at once. The Cisco engineer is correct about the small packet issue, though, as Cisco doesn't dynamically free memory. If you manage to allocate all of the memory in small (64-128k) chunks, as I have seen before when there is a lot of route flapping and the rtr is constantly allocating small chunks to update the route table, the box has no mechanism to take all of the freed memory space once it's done with it and turn it into a larger contiguous (sp?) block. This can crash the box. The whole thing 40+Mbps thing should be discounted, though, as the RSM should be able to handle much more traffic than that. Also, do you know what version of IOS the RSM is running?
-----Original Message----- From: Lancashire, Andrew [SMTP:LancashireA () SUTTERHEALTH ORG] Sent: Tuesday, August 31, 1999 8:02 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: Cisco and Nmap Dos I don't know if you've ever seen this before. We ran nmap with ICMP discover and standard tcp scan. We ran the scan against the entire 10.0.0.0 network range. Although we were only looking for 2 ports, we found that the RSM in our 5500 series (our default route) was running out of memory and had to be rebooted by our Network Services group multiple times in the 18 hour stretch it took to complete. One of the interesting things is that we were only generating about 3-5 Mbs and the 5500 can pass Gigabits. I have not heard of this problem before. We contacted Cisco and sent them the details. Below is the response to one of our engineers. Andrew -----Original Message----- From: khollis [SMTP:khollis () cisco com] Sent: Tuesday, August 31, 1999 7:59 AM To: wescotd () sutterhealth org Subject: Regarding Case Number V44290 Hi Dave, as I recall, the symptom we had to work/troubleshoot with was the router consumed lots of memory. Never heard about packets being dropped. So it seems like we forwarded everything nmap sent to us. The thing to keep in mind is that the router will dynamically allocate memory as necessary so that it can keep up with the load provided to it. Although we did not know nmap was running at the time, we noticed the memory consumed by the IP Input process dropped from 40M+ to an acceptable level of (4-5M) after nmap was shut down. This proves that the router need this much memory to process the entire load generated by nmap. I suspect nmap was doing much more than you've been able to calculate. It's obvious that running nmap continuously for 18-19 hours caused this problem. One possible explaination is constantly flooding the router w/64 byte packets for this timeframe could have caused the router's memory to become seriously fragmented. Also, I guess we can't tell, but another question would be how many tcp sessions were requested/open on the router after this timeframe? Port scanners have a reputation of helping identify potential security problems. However, they are also known to cause problems... Hope this helps, KennyH.
Current thread:
- Cisco and Nmap Dos Lancashire, Andrew (Aug 31)
- Re: Cisco and Nmap Dos Mikael Olsson (Sep 02)
- ProFTPD 1.2.0pre5 MacGyver (Sep 08)
- Re: Cisco and Nmap Dos Lisa Napier (Sep 08)
- 19 SCO 5.0.5+Skunware98 buffer overflows Brock Tellier (Sep 09)
- Re: Cisco and Nmap Dos Niklas Schiffler (Sep 02)
- IE 5.0 security vulnerabilities - ImportExportFavorites - at least creating and overwriting files, probably executing programs Georgi Guninski (Sep 09)
- <Possible follow-ups>
- Re: Cisco and Nmap Dos Travis Pugh (Sep 02)
- Re: Cisco and Nmap Dos Lancashire, Andrew (Sep 02)
- Re: Cisco and Nmap Dos Lisa Napier (Sep 07)
- Bindview Hackershield Password Eric Schultze (Sep 15)
- Re: Cisco and Nmap Dos Lisa Napier (Sep 15)
- Re: Cisco and Nmap Dos Mikael Olsson (Sep 02)