Penetration Testing mailing list archives
Re: SonicWall Scanning Problems
From: "Paul Melson" <pmelson () gmail com>
Date: Sun, 14 Oct 2007 09:21:19 -0400
On 13 Oct 2007 17:06:35 -0000, dcampbell () accessdc com <dcampbell () accessdc com> wrote:
After port scanning for fifteen to thirty minutes, the SonicWall begins to send RSTs back for every address/port combination we've scanned. It seems to send them back in the order we sent them. We're watching all this with WireShark in realtime.
...
We're using nmap at -T3 (default) speed. If we use -T4 it fails sooner. Connect scans also have this problem, although the RST storm clears much quicker. If we have to run at -T2 speeds, the scans could literally take weeks to run.
If this is the case, then it's pretty clear that the admin hasn't successfully disabled synflood protection. That feature may require a power cycle of the device, not just applying the change.
Has anyone done assessments of large networks based on SonicWall gear? Did you encounter this problem? If so, what did you do to correct or work around it.
Yes, and sort of. I wasn't using NMap, but had to switch to full TCP connect scans and take tcp/1723 (PPTP) out of the scan list. There was some real weirdness early on with the number of RST's being sent. I've seen Snort flex_resp and older RealSecure appliances work this way also, but the SonicWall device sent 10-20 times the necessary number of RST packets. You may also find this document helpful if you haven't already seen it: http://www.sonicwall.com/downloads/SonicOS_TCP_RST.pdf In a case like this, don't be afraid to go back to the client contact and explain the situation. Stuff happens. They'll get a warm fuzzy from knowing that their firewall breaks port scans, anyway. Offer them the option of low & slow scanning and extending the testing time frame by several weeks, or they can just hand over the documentation about what ports are open on what addresses and you'll note the issue in the deliverable. Seems reasonable to me. PaulM ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- SonicWall Scanning Problems dcampbell (Oct 13)
- Re: SonicWall Scanning Problems Paul Melson (Oct 14)