Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Retina scans caused broadcast storms

From: "Rob Shein" <shoten () starpower net>
Date: Wed, 24 Nov 2004 16:46:17 -0500
I'm not sure without knowing more about the nature of the scan (how fast you
were running it, whether you were on the local network or doing it remotely,
etc.) but I can think of something that would cause this.  Let's say you
have a subnet with 23 stop bits, being about 2 class C's in size.  Now
assume that it's only about 25% populated, for example...if you do a port
scan where you assume that hosts cannot be pinged, for every port on each
unused IP you're going to trigger some "who has W.X.Y.Z?" arp requests.  And
since those requests, unlike ones for systems that actually do exist, won't
be answered, they also won't be cached anywhere, which means that for EVERY
port you scan, you'll be triggering 75% x 510 = about 380 arp requests.  And
if you're scanning really fast...that's going to raise hell with things.


-----Original Message-----
From: dale ball [mailto:dale_ball () yahoo com] 
Sent: Tuesday, November 23, 2004 1:34 PM
To: pen-test () securityfocus com
Subject: Retina scans caused broadcast storms


Has anyone ever caused a full blown broadcast storm by using 
the Retina Security Scanner.

Its looks as if I may caused a severe slow down on a network 
recently and think the scanner may have caused it. What I am 
trying to determine is whether existing problems in the 
switching enviroment may have been exaserbated by the use of 
the scanner.

Anybody else ever experience these sorts of issues with Retina?

dale


              
__________________________________ 
Do you Yahoo!? 
The all-new My Yahoo! - Get yours free! 
http://my.yahoo.com
Previous By Date Next
Previous By Thread Next

Current thread: