mailing list archives
Re: Kill a Unisys Clearpath with nmap port scan
From: Mike Shaw <mshaw () wwisp com>
Date: Thu, 03 Oct 2002 09:47:50 -0500
At 03:57 PM 10/2/2002 -0500, Jonathan G. Lampe wrote:
Unisys "Clearpath" mainframes are very sensitive to the probes of nmap and
similar programs. Basically, by only port-scanning (not even
fingerprinting), you can cause the entire machine to seize up. (Yes, the
whole machine...not just a job or the TCP/IP device.)
The problem may be occurring because the host fires up a job to log each
incomplete TCP handshake - other people have suggested a problem with the
TCP/IP stack on the iron, but I really don't know for sure.
Wow, and I thought I was the only one who experienced this. I ran a quick
Superscan (Foundstone) against a Clearpath subnet one time, and within an
hour was contacted by the admin for a "possible security issue". This was
about the 4th time I had port scanned that network, only this time one of
the operations folks had notices a huge spike in resource utilization.
The problem I observed was that the system seems to run something like
inetd in which it fires up a process when something connects to the port,
instead of running network processes in a daemon mode. The spike happened
because so many services were configured, and all the ports were hit within
a few seconds. This caused what I call a "hunka hunka burnin' processes"
to fire up all at once. Depending on the size and configuration of the box
you could easily max out system resources, and crash the box. Maybe some
Clearpath experts can comment on this?
Of course the admin's response was "new rule, no portscanning." My
response was "secure your box".
From what I've seen, most Clearpath admins don't do much locking down on
those boxes, because "mainframes are secure". If you want to see some
really scary stuff, start poking around SNMP and see what information you
can get ; )