Kill a Unisys Clearpath with nmap port scan

["Jonathan G. Lampe" <jonathan () stdnet com>]

Unisys "Clearpath" mainframes are very sensitive to the probes of nmap and 
similar programs.  Basically, by only port-scanning (not even 
fingerprinting), you can cause the entire machine to seize up.  (Yes, the 
whole machine...not just a job or the TCP/IP device.)

The problem may be occurring because the host fires up a job to log each 
incomplete TCP handshake - other people have suggested a problem with the 
TCP/IP stack on the iron, but I really don't know for sure.

I know people might think that I am just DOS'ing the machine, but I got 
this to happen with "nmap -T Normal" and it happens even easier at higher 
speeds.  If I do the same scans against Windows, *nix, VAX, or any other 
type of TCP/IP devices I can find, the target machine continues to respond 
after the scan.  (Even on some 20mhz DOS machines running a custom build of 
TCP/IP!)  It's only the Clearpaths which seem to nose-dive.

Lest you think I am complaining about a problem on a single machine, let me 
assure you I have seen this happen three different times at three different 
locations (2 financial data centers and 1 bank) on three different 
machines.    I wrote this report after another security researcher 
mentioned privately to me that he observed the same thing.

So...what's my advice?  Don't use nmap or other port scanners against a 
Clearpath - it will probably be fatal.

Say hello to my little friend: "nmapnt 10.0.0.8 -p 1-1023 -T Normal"  (If 
that doesn't work, make it less polite.  Watch the "SPO" for added fun.)

* * * Vendor notification
Unisys field engineers have been notified of each occurrence at the various 
sites.  (I saw my first one go down in October 2001, saw the third do it 
about a week ago.  All were on current releases.)

Also notified Fyodor (of nmap) and submitted the "Unisys Clearpath NX" 
fingerprints I had.