Nmap Development mailing list archives
Re: [MODERATED] [TIME_DELAYED] Can nMap port scan cause z/os mainframe to hang/stop transactions?
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Fri, 20 Aug 2010 22:59:24 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 20 Aug 2010 14:13:05 GMT "Robert Macmaster" <bobmac () nettally com> wrote:
Hi. This is Bob.As part of a security audit I am doing for an organization, I recently (August 3) ran an nmap port scan from my workstation against our IBM mainframe running Z/OS and DB2. During the day of the scan some users began having problems implementing specific transactions (a limited number of specific transactions could not be completed). Subsequently, our mainframe administrator told me that my scans had likely caused the problem and that he had to stop and restart some services a few hours later to correct the problem.Is there anywhere I can go to determine whether nmap can crash or hang Z/OS or CICS, and determine whether my scan may have caused the problem? Key parameters to reproduce issue, if there is/was one:Scan was run from my internal workstation with no admin rights for any of the server or network interfaces. The scan was nmap -sS -sU -p - -T4 -A -v -PE -PP -PS1-65535 -PA1-65535 --reason xxx.xxx.xxx.xxx (ip x’d out by me for security)Scan completed successfully in 224 seconds, listed many open ports, but incorrectly identified mainframe os as OSs: OS/390, MVS The actual OS was z/os (a recent version)nMap version was 5.21note: I had used the same scan for many of our windows servers without a problem.Will appreciate any incite or references you can provide. Many thanks.Bob
Bob, Our mainframe admins have told me the same thing. I don't have a shell on our mainframe but I'm pretty sure we're running roughly the same version. One of the mainframe guys got back to me after they opened up a support case with IBM and said Nmap ran it out of socket buffer memory. IIRC, the thing has what it calls "High Performance TCP Sockets" or something like that which allocate some fixed buffer size and it doesn't get freed very quickly. Doing a SYN scan allocates a bunch of these and it runs out of networking memory. I'd get you more information but my working relationship with our mainframe guys is strained at best. So in short, yes, I've taken down our mainframe a few times and the IBMers seem to think that this is my problem and not the mainframe's fault. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) iEYEARECAAYFAkxvCNkACgkQqaGPzAsl94KCxwCfXy8rTGI9CiIEaibGQ5YGE+5R 1IwAn0bELfSNQSku8Ua9efM5wj0WiuVG =YpF4 -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Can nMap port scan cause z/os mainframe to hang/stop transactions? Robert Macmaster (Aug 20)
- <Possible follow-ups>
- Can nMap port scan cause z/os mainframe to hang/stop transactions? Robert Macmaster (Aug 20)
- Re: [MODERATED] [TIME_DELAYED] Can nMap port scan cause z/os mainframe to hang/stop transactions? Brandon Enright (Aug 20)
- Re: Can nMap port scan cause z/os mainframe to hang/stop transactions? David Fifield (Aug 20)
- Re: [MODERATED] [TIME_DELAYED] Can nMap port scan cause z/os mainframe to hang/stop transactions? Brandon Enright (Aug 20)