From: dcampbell@accessdc.com
Date: Sat Oct 13 2007 - 13:06:35 EDT
We're seeing some rather unhelpful behavior from some of the SonicWall devices.
After port scanning for fifteen to thirty minutes, the SonicWall begins to send RSTs back for every address/port combination we've scanned. It seems to send them back in the order we sent them. We're watching all this with WireShark in realtime.
The SonicWall device begins to have problems with its web interface once this starts. If we don't catch this right away and stop scanning, eventually network users are impacted.
Eventually, the RST storm clears after it's sent a RST to every address/port we touched.
The SonicWall admin at the client site has (we all believe) turned off IPS functionality, syn flood detection, etc, etc. As far as we can tell, everything that should be getting "upset" about our scanning has been turned off.
Various buffers and caches on the SonicWall show up clear/empty and there's nothing interesting in the logs.
We're using nmap at -T3 (default) speed. If we use -T4 it fails sooner. Connect scans also have this problem, although the RST storm clears much quicker. If we have to run at -T2 speeds, the scans could literally take weeks to run.
Has anyone done assessments of large networks based on SonicWall gear?
Did you encounter this problem?
If so, what did you do to correct or work around it.
So far SonicWall support hasn't been much help.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:09 EDT