On Thu, 2003-02-06 at 10:21, Jim Cervantes wrote: > Wow! 10% of services shut down?! I would really like to know more about > what settings you used for your scans. Are these fragile sevices getting > whacked by a mere port scan or by an actual malinteraction with a plugin?
Actually, the worst offenders are JetDirect cards. A simple NMAP scan will kill several hundred of them in one sweep. Next on the list are Novell servers running FlexIP; looking at those cross-eyed will cause them to stop processing tcp/ip. We have some legacy OSes (where tcp/ip was added as an afterthought) that can get OOM (tcp/ip sessions not cleared from memory) when scanned. Those are the low-hanging fruit. There are lots of other systems that don't like being hit with non-safe-check scans, e.g. PACS radiology (run by outside vendors); of course, those have OS/2, MacOS, Solaris and a few others as integral components. A few lab interfaces and terminal servers have been taken off-line, too, though I'm no longer sure of the details. Hospitals, especially those that write their own software based upon Mumps programming in the 1970s, have lots of essoterica lying around. Kris
