Bugtraq mailing list archives
Kill a Unisys Clearpath with nmap port scan
From: "Jonathan G. Lampe" <jonathan () stdnet com>
Date: Wed, 02 Oct 2002 15:57:39 -0500
Unisys "Clearpath" mainframes are very sensitive to the probes of nmap and similar programs. Basically, by only port-scanning (not even fingerprinting), you can cause the entire machine to seize up. (Yes, the whole machine...not just a job or the TCP/IP device.)
The problem may be occurring because the host fires up a job to log each incomplete TCP handshake - other people have suggested a problem with the TCP/IP stack on the iron, but I really don't know for sure.
I know people might think that I am just DOS'ing the machine, but I got this to happen with "nmap -T Normal" and it happens even easier at higher speeds. If I do the same scans against Windows, *nix, VAX, or any other type of TCP/IP devices I can find, the target machine continues to respond after the scan. (Even on some 20mhz DOS machines running a custom build of TCP/IP!) It's only the Clearpaths which seem to nose-dive.
Lest you think I am complaining about a problem on a single machine, let me assure you I have seen this happen three different times at three different locations (2 financial data centers and 1 bank) on three different machines. I wrote this report after another security researcher mentioned privately to me that he observed the same thing.
So...what's my advice? Don't use nmap or other port scanners against a Clearpath - it will probably be fatal.
Say hello to my little friend: "nmapnt 10.0.0.8 -p 1-1023 -T Normal" (If that doesn't work, make it less polite. Watch the "SPO" for added fun.)
* * * Vendor notificationUnisys field engineers have been notified of each occurrence at the various sites. (I saw my first one go down in October 2001, saw the third do it about a week ago. All were on current releases.)
Also notified Fyodor (of nmap) and submitted the "Unisys Clearpath NX" fingerprints I had.
Current thread:
- Kill a Unisys Clearpath with nmap port scan Jonathan G. Lampe (Oct 02)
- Re: Kill a Unisys Clearpath with nmap port scan Mike Shaw (Oct 05)
- <Possible follow-ups>
- Re: Kill a Unisys Clearpath with nmap port scan Michael.Kain (Oct 05)