Re: Kill a Unisys Clearpath with nmap port scan

[Mike Shaw <mshaw () wwisp com>]

At 03:57 PM 10/2/2002 -0500, Jonathan G. Lampe wrote:
> Unisys "Clearpath" mainframes are very sensitive to the probes of nmap and 
> similar programs.  Basically, by only port-scanning (not even 
> fingerprinting), you can cause the entire machine to seize up.  (Yes, the 
> whole machine...not just a job or the TCP/IP device.)
>
> The problem may be occurring because the host fires up a job to log each 
> incomplete TCP handshake - other people have suggested a problem with the 
> TCP/IP stack on the iron, but I really don't know for sure.

Wow, and I thought I was the only one who experienced this.   I ran a quick 
Superscan (Foundstone) against a Clearpath subnet one time, and within an 
hour was contacted by the admin for a "possible security issue".  This was 
about the 4th time I had port scanned that network, only this time one of 
the operations folks had notices a huge spike in resource utilization.

The problem I observed was that the system seems to run something like 
inetd in which it fires up a process when something connects to the port, 
instead of running network processes in a daemon mode.  The spike happened 
because so many services were configured, and all the ports were hit within 
a few seconds.  This caused what I call a "hunka hunka burnin' processes" 
to fire up all at once.  Depending on the size and configuration of the box 
you could easily max out system resources, and crash the box.  Maybe some 
Clearpath experts can comment on this?

Of course the admin's response was "new rule, no portscanning."  My 
response was "secure your box".

From what I've seen, most Clearpath admins don't do much locking down on 
those boxes, because "mainframes are secure".   If you want to see some 
really scary stuff, start poking around SNMP and see what information you 
can get ; )

-Mike