RE: Retina scans caused broadcast storms

• Previous message: Evans, Arian: "RE: Crashing services with NMAP and/or SuperScan ?"
• In reply to: dale ball: "Retina scans caused broadcast storms"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'dale ball'" <dale_ball@yahoo.com>
Date: Fri, 26 Nov 2004 11:23:24 +0100

Hi Dale,

[yes, I work for eEye]

> -----Original Message-----
> From: dale ball [mailto:dale_ball@yahoo.com]
>
> Has anyone ever caused a full blown broadcast storm by using
> the Retina Security Scanner.
[...]
> What I am trying to determine is whether
> existing problems in the switching enviroment may have been
> exaserbated by the use of the scanner.
[...]

Pretty unlikely that the scanner is the root of your problem here - it
doesn't poke spanning tree during the scans, and sends almost no broadcast
traffic. I've never seen the scanner drop more than about 1Mb (megabit) of
bandwidth onto the wire during a scan, either. But, as you say it might be
the catalyst, revealing a bug in your switching setup.

There are some possibilities - the portscan might be confusing devices you
have that keep state at layer 4, for example, which might lead to a cascade
where the spanning tree loses links and decides to re-converge (seems like a
long shot, and would show up with any scanner). Also if your switch link IPs
are included in the scan the switches might be buggy, in one of a number of
ways.

If you're interested in discussing it further offline let me know, we can
follow up with the final results on-list, but I don't want to bore everyone
with a long back and forth. Some things that interest me are

1. On what basis did you come to the conclusion that the network slowed down
(user feedback, slow performance with certain apps, etc etc)
2. How confident are you that there is a causal link with the scan (multiple
tests etc)
3. Are you sure it was a broadcast storm in particular
3a. If so, what switches were involved
4. Does this network use spanning tree or link aggregation? If it does,
should it?
5. Did you happen to be able to take any packet captures?
6. (oh and what version are you using, of course)

eEye take any report of problems like this seriously. However, I notice that
the name you posted from isn't in our client database. Would you be able to
also give me your real contact details offlist so I can verify the software
you are using?

Thanks!

ben

• Previous message: Evans, Arian: "RE: Crashing services with NMAP and/or SuperScan ?"
• In reply to: dale ball: "Retina scans caused broadcast storms"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]