Unisys "Clearpath" mainframes are very sensitive to the probes of nmap and
similar programs. Basically, by only port-scanning (not even
fingerprinting), you can cause the entire machine to seize up. (Yes, the
whole machine...not just a job or the TCP/IP device.)

The problem may be occurring because the host fires up a job to log each
incomplete TCP handshake - other people have suggested a problem with the
TCP/IP stack on the iron, but I really don't know for sure.

I know people might think that I am just DOS'ing the machine, but I got
this to happen with "nmap -T Normal" and it happens even easier at higher
speeds. If I do the same scans against Windows, *nix, VAX, or any other
type of TCP/IP devices I can find, the target machine continues to respond
after the scan. (Even on some 20mhz DOS machines running a custom build of
TCP/IP!) It's only the Clearpaths which seem to nose-dive.

Lest you think I am complaining about a problem on a single machine, let me
assure you I have seen this happen three different times at three different
locations (2 financial data centers and 1 bank) on three different
machines. I wrote this report after another security researcher
mentioned privately to me that he observed the same thing.

So...what's my advice? Don't use nmap or other port scanners against a
Clearpath - it will probably be fatal.

Say hello to my little friend: "nmapnt 10.0.0.8 -p 1-1023 -T Normal" (If
that doesn't work, make it less polite. Watch the "SPO" for added fun.)

* * * Vendor notification
Unisys field engineers have been notified of each occurrence at the various
sites. (I saw my first one go down in October 2001, saw the third do it
about a week ago. All were on current releases.)

Also notified Fyodor (of nmap) and submitted the "Unisys Clearpath NX"
fingerprints I had.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]