Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Retina scans caused broadcast storms

from [Ben Nagy] Network Security [Permanent Link]
Subject: RE: Retina scans caused broadcast storms
Date: Fri, 26 Nov 2004 11:23:24 +0100 
Hi Dale,

[yes, I work for eEye]


-----Original Message-----
From: dale ball [mailto:dale_ball@yahoo.com] 

Has anyone ever caused a full blown broadcast storm by using 
the Retina Security Scanner.

[...]

What I am trying to determine is whether
existing problems in the switching enviroment may have been 
exaserbated by the use of the scanner.

[...]

Pretty unlikely that the scanner is the root of your problem here - it
doesn't poke spanning tree during the scans, and sends almost no broadcast
traffic. I've never seen the scanner  drop more than about 1Mb (megabit) of
bandwidth onto the wire during a scan, either. But, as you say it might be
the catalyst, revealing a bug in your switching setup.

There are some possibilities - the portscan might be confusing devices you
have that keep state at layer 4, for example, which might lead to a cascade
where the spanning tree loses links and decides to re-converge (seems like a
long shot, and would show up with any scanner). Also if your switch link IPs
are included in the scan the switches might be buggy, in one of a number of
ways.

If you're interested in discussing it further offline let me know, we can
follow up with the final results on-list, but I don't want to bore everyone
with a long back and forth. Some things that interest me are

1. On what basis did you come to the conclusion that the network slowed down
(user feedback, slow performance with certain apps, etc etc)
2. How confident are you that there is a causal link with the scan (multiple
tests etc)
3. Are you sure it was a broadcast storm in particular
3a. If so, what switches were involved
4. Does this network use spanning tree or link aggregation? If it does,
should it?
5. Did you happen to be able to take any packet captures?
6. (oh and what version are you using, of course)

eEye take any report of problems like this seriously. However, I notice that
the name you posted from isn't in our client database. Would you be able to
also give me your real contact details offlist so I can verify the software
you are using?

Thanks!

ben
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [hackers-se] Proxy that can manage session cookies?, Kristian Franzen
Next by Date:  Security deficiencies of automated Windows Installations, Christoph Schnidrig
Previous by Thread:  Re: Retina scans caused broadcast storms, DokFLeed
Next by Thread:  RE: Retina scans caused broadcast storms, Steven Trewick
Indexes:  [Date] [Thread] [Top] [All Lists]