Re: [MODERATED] [TIME_DELAYED] Can nMap port scan cause z/os mainframe to hang/stop transactions?

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 20 Aug 2010 14:13:05 GMT
"Robert Macmaster" <bobmac () nettally com> wrote:

> Hi. This is Bob.As part of a security audit I am doing for an
> organization, I recently (August 3) ran an nmap port scan from my
> workstation against our IBM mainframe running Z/OS and DB2.  During
> the day of the scan some users began having problems implementing
> specific transactions (a limited number of specific transactions
> could not be completed).  Subsequently, our mainframe administrator
> told me that my scans had likely caused the problem and that he had
> to stop and restart some services a few hours later to correct the
> problem.Is there anywhere I can go to determine whether nmap can
> crash or hang Z/OS or CICS, and determine whether my scan may have
> caused the problem?  Key parameters to reproduce issue, if there
> is/was one:Scan was run from my internal workstation with no admin
> rights for any of the server or network interfaces. The scan was nmap
> -sS -sU -p - -T4 -A -v -PE -PP -PS1-65535 -PA1-65535 --reason
> xxx.xxx.xxx.xxx (ip x’d out by me for security)Scan completed
> successfully in 224 seconds, listed many open ports, but incorrectly
> identified mainframe os as OSs: OS/390, MVS The actual OS was z/os (a
> recent version)nMap version was 5.21note: I had used the same scan
> for many of our windows servers without a problem.Will appreciate any
> incite or references you can provide.  Many thanks.Bob


Bob,

Our mainframe admins have told me the same thing.  I don't have a shell
on our mainframe but I'm pretty sure we're running roughly the same
version.

One of the mainframe guys got back to me after they opened up a support
case with IBM and said Nmap ran it out of socket buffer memory.

IIRC, the thing has what it calls "High Performance TCP Sockets" or
something like that which allocate some fixed buffer size and it doesn't
get freed very quickly. Doing a SYN scan allocates a bunch of these and
it runs out of networking memory.

I'd get you more information but my working relationship with our
mainframe guys is strained at best.

So in short, yes, I've taken down our mainframe a few times and the
IBMers seem to think that this is my problem and not the mainframe's
fault.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)

iEYEARECAAYFAkxvCNkACgkQqaGPzAsl94KCxwCfXy8rTGI9CiIEaibGQ5YGE+5R
1IwAn0bELfSNQSku8Ua9efM5wj0WiuVG
=YpF4
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/