[THIN] Re: Port Scanning

Depends on a couple of things:
1) What type of portscanning is being done.
2) What features are being used on switches in the infrastructure.

That said, even the most obtrusive types of portscanners generate a
negligable amount of traffic relative to normal network behavior.

HOwever, if you have, say, a switch based IDS (like Cisco's) which is set up
to take corrective action in response to a suspected intrusion, this can
cause the problems you've desribed (if its misconfigured, albeit).

Whatever you hear from this forum, though, if
a) everytime she scans, the network collapses and the switch must be
rebooted and
b) the network never collapses unless she scans

well, clearly there is some correlation. 

HEre are some things that could be happening, also:

1) Lets say your core switch is a layer 3 and its doing NAT as well. Lets go
further and say that it is trying to be "intelligent" about the NAT, so if
it sees traffic destined for port 21 it assumes FTP and gets ready to do the
NAT'ing for the data channel as well. I have seen situations where layer3
switches/routers could be adversely affected if too many of these
connections were attempted when no device was on the other side listening. 
2) Depending on how aggressive the port scan is, you could be exhausting
buffers on said layer 3 switch.

There are other things which could be happening; you haven't really given
enough info to say for sure. Things I'd like to know:

1) Basic network infrastructure - what is this core switch and is it doing
intervlan routing as well. 
2) What is she using for portscanning? How many hosts is she scanning.
3) Is the slowdown affecting speed between any two computers, no matter what
their placement with respect to each other and the switch?

I for one do NMAP scans any old time I feel like it and have never run into
a performance issue as a result of this.

Henry

> -----Original Message-----
> From: James A. Hayes [mailto:jhayes@xxxxxxxxxxxxxxxxxx]
> Sent: Monday, March 29, 2004 1:10 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Port Scanning
> 
> 
> Has anyone seen where port scanning caused major network issues?  Our
> security officer runs port scans on our network when ever she 
> wants to and
> it never fails that our network then chugs down to a complete 
> halt and we
> have to reboot our core switch to correct the problem.  Any ideas or
> suggestions?
>  
> 
> James A. Hayes
> 
> Network Operations Manager & Assistant Vice-President
> 
> The Peoples Bank & Trust Company
> 
>  
> 
> (work) 662.680.1667
> 
> (mobile) 662.401.0750
> 
> (fax) 662.680.1502
> 
>  
> 
>  
> 
> 
> 
> ********************************************************
> This weeks sponsor Emergent Online.
> Emergent OnLine is the leading server-based computing 
> consulting integration firm in the nation. Emergent OnLine 
> delivers expert 
> consulting services you can depend on.
> http://www.go-eol.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or 
> set Digest or Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
> 
********************************************************
This weeks sponsor Emergent Online.
Emergent OnLine is the leading server-based computing consulting integration 
firm in the nation. Emergent OnLine delivers expert 
consulting services you can depend on.
http://www.go-eol.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

Other related posts: