Devices that dont like active network scanning

Tooms

Member
T
Join Date
Sep 2023
Location
Denmark
Posts
2
Hi



I am in the process of making an OT lab for training and to test incident response, an i keep hearing NOT to scan network because some devices can not handle this and will stop working until reset/restart of them.


so the question is, for lab purpose is there some known devices that always has this issue there will be good for testing in labs. ?
I am looking for used smaller inexpensive device that will be practical for this lab where of course both cost and lab space is limited.




So what devices with that issue will be good for an lab setup ?




Thanks
Tooms
 
I have done several network scans and I have never seen that there are devices that stop working when scanned.

If that happened it would be due to poor programming of the scanning software.

The scanner software tries to establish TCP connections with different ports (services) of the target IP, port 23 telnet, 80 http and many more.

If the scanning software establishes connections but then does not close them, it can exhaust the maximum number of connections that the device can establish and therefore, apart from scanning, it will also be a denial of service attack.
 
it is some thing that i keep hearing sentences like this have a book: "Nmap and other forms of active scanning can be harmful to ICS networks"
and there can knock them over in an way so they stop working and has to be restarted/reset again.
i hear it repeted from many places that it is an thing and some device can not handle packages because of weak CPU, OS or network stack.

So to learn and understand this better and do safe OT incident response, i like to see/test devices like that.


Regards
Tooms
 
Unfortunately for your needs it's not smaller but an Altivar71 with ethernet I/P will reliably fault when IT based scan tools (Artic Wolf, Angry IP scanner etc) interrogate it. Only have 4 of those left and can't wait to dump them.

Look for devices that used a java based HMI that won't render in modern browsers as a good vintage to draw from.

With modern hardware I doubt they will actually fault but a device with a small number of connection sockets might be a good target. I expect the results will be connection losses and not actual faults though like the Altivars.

Look into the CERT or ISAC database for vulnerability listings.
 

Similar Topics

M
Connecting Different controllers (brands) with same I/O devices - Demo Station Design
Hi, I want to build a demo station to test devices and programs and I need some help with it. I want to connect GuardLogix, Piltzmulti and...
Replies
1
Views
149
JeffKiper
JeffKiper
C
Simultaneously connecting 2 devices to 1 RS 232 port.
I have a piece of equipment that is operated by a PanelView Plus 600 HMI touch screen via RS232 into a Micrologix 1500 PLC. I am trying to...
Replies
5
Views
149
lfe
L
E
Modbus serial data from multiple devices to M340 controller
I have 9 field devices, three METSEPM5110 power meters and six ACE949-2 rs285 interface modules. I want to read this Modbus rtu data through rs485...
Replies
8
Views
317
Enggshab
E
S
Remote Access Solutions for Industrial Devices
Hello, I am looking for a solution to remotely access any kind of device securely across the internet. I know this has been done in piecemeal...
2
Replies
22
Views
2,238
durallymax
D
T
Isolating 2 wire analog devices with Point I/O
Hey folks, Hardware: *=Must use these devices. Allen Bradley 1734-AENTR (Dual Ethernet Adapter)* Allen Bradley 1734-IE8C (8Ch Analog Input...
Replies
2
Views
706
trueninjalo
T
Back
Top Bottom