RE: Retina scans caused broadcast storms

From: Ben Nagy (ben@iagu.net)
Date: Fri Nov 26 2004 - 05:23:24 EST

• Next message: Christoph Schnidrig: "Security deficiencies of automated Windows Installations"
• Previous message: Kristian Franzen: "Re: [hackers-se] Proxy that can manage session cookies?"
• In reply to: dale ball: "Retina scans caused broadcast storms"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Dale,

[yes, I work for eEye]

> -----Original Message-----
> From: dale ball [mailto:dale_ball@yahoo.com]
>
> Has anyone ever caused a full blown broadcast storm by using
> the Retina Security Scanner.
[...]
> What I am trying to determine is whether
> existing problems in the switching enviroment may have been
> exaserbated by the use of the scanner.
[...]

Pretty unlikely that the scanner is the root of your problem here - it
doesn't poke spanning tree during the scans, and sends almost no broadcast
traffic. I've never seen the scanner drop more than about 1Mb (megabit) of
bandwidth onto the wire during a scan, either. But, as you say it might be
the catalyst, revealing a bug in your switching setup.

There are some possibilities - the portscan might be confusing devices you
have that keep state at layer 4, for example, which might lead to a cascade
where the spanning tree loses links and decides to re-converge (seems like a
long shot, and would show up with any scanner). Also if your switch link IPs
are included in the scan the switches might be buggy, in one of a number of
ways.

If you're interested in discussing it further offline let me know, we can
follow up with the final results on-list, but I don't want to bore everyone
with a long back and forth. Some things that interest me are

1. On what basis did you come to the conclusion that the network slowed down
(user feedback, slow performance with certain apps, etc etc)
2. How confident are you that there is a causal link with the scan (multiple
tests etc)
3. Are you sure it was a broadcast storm in particular
3a. If so, what switches were involved
4. Does this network use spanning tree or link aggregation? If it does,
should it?
5. Did you happen to be able to take any packet captures?
6. (oh and what version are you using, of course)

eEye take any report of problems like this seriously. However, I notice that
the name you posted from isn't in our client database. Would you be able to
also give me your real contact details offlist so I can verify the software
you are using?

Thanks!

ben

• Next message: Christoph Schnidrig: "Security deficiencies of automated Windows Installations"
• Previous message: Kristian Franzen: "Re: [hackers-se] Proxy that can manage session cookies?"
• In reply to: dale ball: "Retina scans caused broadcast storms"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:09 EDT