On Wed, 19 Feb 2003, [EMAIL PROTECTED] wrote:
> Quoting Adam Kosmin <[EMAIL PROTECTED]>:
> > Is there a way to exclude ALL plugins that could potentially
> > bring down a remote host or a service that is running on it?
>
> When it comes right down to it, *any* connection to the target could potentially
> take down the host or service. As I said in my previous email, an HTTP request
> to some services is enough to kill it, even though an even semi-well written
> program should be able to handle it. Older versions of HP MeasureWare, for
> example, spike the CPU if you send "GET " (really any unexpected 4 string
> character). I've even encountered many hosts/services that fall over if you
> simply do an nmap scan of them.
>
> Disabling dangerous plugins and safe checks will keep the plugins from
> performing *intentional* DoS attempts, but you'd be fooling yourself to think
> that you can guarantee a scan won't hurt a host--and risking your job as well,
> it seems.
>
>
> --
> http://www.cirt.net/
After our last scan, it was clear that there are additional issues when
scanning behind our institution's firewall. In particular, it appears
that the best (and in some cases the only) defense against some of the DoS
tests is to place your systems behind a firewall which is a little
problematic for every LAN that is only protected by the firewall that
protects everyone. In addition, it is clear that not scanning behind the
firewall means you are wide open to virtually any system that gets
compromised.
So, we offered three options to our LAN administrators:
1) only safe checks (no DoS and no Buffer overflow tests)
(only 2 admins out of ~200 opted for this one)
2) all tests except DoS only tests
(this is the default scan and about 95% choose this option)
3) all tests including DoS tests
Actually, it is to everyone's advantage to id Buffer Overflows and get
them fixed along with as many of the other problems as possible. Based on
the explanations that I read, it is only to the advantage of the owners to
prevent DoS problems. If they don't experience a real DoS, they they are
not too interested in experiencing a monthly DoS caused only by the
scanning process.
It would make life a little simpler, if there were an option that only
disabled DoS only tests, then it would help to simplify the process when
one updates the plugins.
