I have not seen any significant impact on bandwidth. The quick
discovery thing seems to happen about twice a day, on average.
I *have* seen other difficulties. Like PCanywhere, also a Symantec
product, this discovery code assumes that all of your address blocks
are entire class B/C blocks -- it ignores subnet masks.
The upshot of this is that it will happily send to addresses that
(a) are not really broadcast addresses, or (b) are broadcast
addresses of subnets that DO NOT BELONG TO YOU.
It's not much of an attack -- in general, only one or two specific
neighbors would ever be mistakenly subjected to this traffic. I do
not, however, consider this to be an example of good netizenship.
David Gillett
On 28 Jun 2001, at 7:51, Young, Beth A. wrote:
> Through some discussions I have had with several people, I have a concern
> about NAV 7.5 server/client setup. I wanted other expert opinions on this
> issue. I am including some text from an email with a Symantec Engineer. My
> questions/comments are in [brackets].
>
> >When NSCTOP starts, it initiates a quick discovery, which is
> >essentially a broadcast ping to the entire subnet. It asks
> >that any application listening on port 38293 please respond
> >with a pong packet. Any computers running PDS will respond to
> >the ping with a pong packet.
> [Can this be used in a type of smurf amplification attack??? Especially
> taken with the next comment?]
> >Intense Discovery. Walks the Network Neighborhood, attempting
> >to ping all computers it finds.
>
> [And lastly we have a built in Network scanner??]:
> >Scan Network tab. The scan network feature of the "Find
> >Computer" dialog allows you to scan a range of IP Addresses,
> >or IP subnets in order to find computers. Using the IP address
> >scan, you enter a range of IP addresses, which the dialog will
> >then loop through. The dialog requests the discovery service
> >to ping each address, and brings in any servers it finds.
> >Using the IP subnet scan, you can send broadcast packets to
> >specific subnets. This scan can circumvent routers that stop
> >normal broadcast packets.
>
> ------------
>
> Am I missing something here or am I being way to paranoid about this
> application? Does anybody use server/client setup in their organization
> that can send me comments about this traffic and how it affects their
> bandwidth? Has anybody tried to use this as a smurf amplification tool?
>
> Beth Young
> MOREnet Security
> 1.800.509.6673
> http://www.more.net/
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
