Penetration Testing mailing list archives
RE: Retina scans caused broadcast storms
From: "Ben Nagy" <ben () iagu net>
Date: Fri, 26 Nov 2004 11:23:24 +0100
Hi Dale, [yes, I work for eEye]
-----Original Message----- From: dale ball [mailto:dale_ball () yahoo com] Has anyone ever caused a full blown broadcast storm by using the Retina Security Scanner.
[...]
What I am trying to determine is whether existing problems in the switching enviroment may have been exaserbated by the use of the scanner.
[...] Pretty unlikely that the scanner is the root of your problem here - it doesn't poke spanning tree during the scans, and sends almost no broadcast traffic. I've never seen the scanner drop more than about 1Mb (megabit) of bandwidth onto the wire during a scan, either. But, as you say it might be the catalyst, revealing a bug in your switching setup. There are some possibilities - the portscan might be confusing devices you have that keep state at layer 4, for example, which might lead to a cascade where the spanning tree loses links and decides to re-converge (seems like a long shot, and would show up with any scanner). Also if your switch link IPs are included in the scan the switches might be buggy, in one of a number of ways. If you're interested in discussing it further offline let me know, we can follow up with the final results on-list, but I don't want to bore everyone with a long back and forth. Some things that interest me are 1. On what basis did you come to the conclusion that the network slowed down (user feedback, slow performance with certain apps, etc etc) 2. How confident are you that there is a causal link with the scan (multiple tests etc) 3. Are you sure it was a broadcast storm in particular 3a. If so, what switches were involved 4. Does this network use spanning tree or link aggregation? If it does, should it? 5. Did you happen to be able to take any packet captures? 6. (oh and what version are you using, of course) eEye take any report of problems like this seriously. However, I notice that the name you posted from isn't in our client database. Would you be able to also give me your real contact details offlist so I can verify the software you are using? Thanks! ben
Current thread:
- Retina scans caused broadcast storms dale ball (Nov 24)
- RE: Retina scans caused broadcast storms Rob Shein (Nov 27)
- Re: Retina scans caused broadcast storms DokFLeed (Nov 27)
- RE: Retina scans caused broadcast storms Ben Nagy (Nov 27)
- <Possible follow-ups>
- RE: Retina scans caused broadcast storms Steven Trewick (Nov 27)
- RE: Retina scans caused broadcast storms Piskovatskov, Alexey (Nov 27)
- RE: Retina scans caused broadcast storms Evans, Arian (Nov 27)
- Re: Retina scans caused broadcast storms Fabrice Aubry (Nov 27)
- Re: Retina scans caused broadcast storms no name (Nov 27)
- Re: Retina scans caused broadcast storms William Allsopp (Nov 27)