Devices that dont like active network scanning

Tooms

Member
Join Date
Sep 2023
Location
Denmark
Posts
2
Hi



I am in the process of making an OT lab for training and to test incident response, an i keep hearing NOT to scan network because some devices can not handle this and will stop working until reset/restart of them.


so the question is, for lab purpose is there some known devices that always has this issue there will be good for testing in labs. ?
I am looking for used smaller inexpensive device that will be practical for this lab where of course both cost and lab space is limited.




So what devices with that issue will be good for an lab setup ?




Thanks
Tooms
 
I have done several network scans and I have never seen that there are devices that stop working when scanned.

If that happened it would be due to poor programming of the scanning software.

The scanner software tries to establish TCP connections with different ports (services) of the target IP, port 23 telnet, 80 http and many more.

If the scanning software establishes connections but then does not close them, it can exhaust the maximum number of connections that the device can establish and therefore, apart from scanning, it will also be a denial of service attack.
 
it is some thing that i keep hearing sentences like this have a book: "Nmap and other forms of active scanning can be harmful to ICS networks"
and there can knock them over in an way so they stop working and has to be restarted/reset again.
i hear it repeted from many places that it is an thing and some device can not handle packages because of weak CPU, OS or network stack.

So to learn and understand this better and do safe OT incident response, i like to see/test devices like that.


Regards
Tooms
 
Unfortunately for your needs it's not smaller but an Altivar71 with ethernet I/P will reliably fault when IT based scan tools (Artic Wolf, Angry IP scanner etc) interrogate it. Only have 4 of those left and can't wait to dump them.

Look for devices that used a java based HMI that won't render in modern browsers as a good vintage to draw from.

With modern hardware I doubt they will actually fault but a device with a small number of connection sockets might be a good target. I expect the results will be connection losses and not actual faults though like the Altivars.

Look into the CERT or ISAC database for vulnerability listings.
 

Similar Topics

Hey all, I am working on a project and i want to use Allen Bradley Micro850 controllers. This model has ethernet ip functionality. So the project...
Replies
8
Views
170
Hi, I want to build a demo station to test devices and programs and I need some help with it. I want to connect GuardLogix, Piltzmulti and...
Replies
1
Views
179
I have a piece of equipment that is operated by a PanelView Plus 600 HMI touch screen via RS232 into a Micrologix 1500 PLC. I am trying to...
Replies
5
Views
166
I have 9 field devices, three METSEPM5110 power meters and six ACE949-2 rs285 interface modules. I want to read this Modbus rtu data through rs485...
Replies
8
Views
350
Hello, I am looking for a solution to remotely access any kind of device securely across the internet. I know this has been done in piecemeal...
Replies
22
Views
2,360
Back
Top Bottom