On Mon, 26 Jul 1999, Derek Martin wrote:
> > In my case, I came across the CISCO IOS bug that meant a fragmented packet
> > to syslog's port would bring down the routers.
> >
> > I wasn't *trying* to flood the network during a scan, in fact I was trying
> > to do no harm at all. As I said, I was doing a sanctioned scan - I _knew_
>
> This isn't really a good example though, because the problem is with the
> buggy router implementation. A legitimate use of this port could cause
It is a good example because it illustrates the fact that you can't
predict the equipment and/or software at the other end's reaction to a
scan. The port listens by default, in use or not. If it had been a
hospital's internal network and I'd done the scan at a time where a doctor
needed access to a patient's last CAT scan detail over a network, it could
have been catestrophic. US case law varies between liability for
manufacturers, implementors and initiators, but in almost all cases the
initiator of the problem is held liable.
Let's say the theoritical hospital had a firewall in place that allowed
SNMP by default unbeknownst to the administrator, and the bug affected
SNMP packets. The hospital has done its best to protect itself, two
vendors have been lax, and still nothing bad would have happened had the
scanner not initiated a port scan.
FWIW, normal traffic wouldn't generally create the fragment in question,
so the likelyhood of seeing this outside of a port scan was extremely low
to non-existant.
If it had been a hostile audit instead of an announced one, it would have
taken them a great deal longer to figure out where the problem was.
> the same problem. You should complain to your vendor about this, not law
> enforcement.
Actually, I complained to the provider for fielding a version of IOS that
wasn't "known good", having the port wide open, and not following BUGTRAQ.
However, that doesn't change the fact that a "innocent" port scan caused a
DoS. It also doesn't change the fact that there may be other permutations
of equipment and software that are similarly affected.
As much as you'd like to be3lieve that port scanning does no harm, you
can't *know* that.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
