Devices that dont like active network scanning

Tooms

Member
Join Date
Sep 2023
Location
Denmark
Posts
2
Hi



I am in the process of making an OT lab for training and to test incident response, an i keep hearing NOT to scan network because some devices can not handle this and will stop working until reset/restart of them.


so the question is, for lab purpose is there some known devices that always has this issue there will be good for testing in labs. ?
I am looking for used smaller inexpensive device that will be practical for this lab where of course both cost and lab space is limited.




So what devices with that issue will be good for an lab setup ?




Thanks
Tooms
 
I have done several network scans and I have never seen that there are devices that stop working when scanned.

If that happened it would be due to poor programming of the scanning software.

The scanner software tries to establish TCP connections with different ports (services) of the target IP, port 23 telnet, 80 http and many more.

If the scanning software establishes connections but then does not close them, it can exhaust the maximum number of connections that the device can establish and therefore, apart from scanning, it will also be a denial of service attack.
 
it is some thing that i keep hearing sentences like this have a book: "Nmap and other forms of active scanning can be harmful to ICS networks"
and there can knock them over in an way so they stop working and has to be restarted/reset again.
i hear it repeted from many places that it is an thing and some device can not handle packages because of weak CPU, OS or network stack.

So to learn and understand this better and do safe OT incident response, i like to see/test devices like that.


Regards
Tooms
 
Unfortunately for your needs it's not smaller but an Altivar71 with ethernet I/P will reliably fault when IT based scan tools (Artic Wolf, Angry IP scanner etc) interrogate it. Only have 4 of those left and can't wait to dump them.

Look for devices that used a java based HMI that won't render in modern browsers as a good vintage to draw from.

With modern hardware I doubt they will actually fault but a device with a small number of connection sockets might be a good target. I expect the results will be connection losses and not actual faults though like the Altivars.

Look into the CERT or ISAC database for vulnerability listings.
 

Similar Topics

Hello, I am looking for a solution to remotely access any kind of device securely across the internet. I know this has been done in piecemeal...
Replies
22
Views
1,520
Hey folks, Hardware: *=Must use these devices. Allen Bradley 1734-AENTR (Dual Ethernet Adapter)* Allen Bradley 1734-IE8C (8Ch Analog Input...
Replies
2
Views
650
I have a device that is connected via modbus to a modbus-profinet converter, and then to a scalance switch. I have no idea how to establish...
Replies
4
Views
1,617
Hello: I have a problem I had never seen before with CODESYS and it seems to have happened after I added some new installation to this Windows...
Replies
5
Views
1,439
We have two, nearly identical machines. One configuration utilizes a L33ERM and I am able to see and access the local subnet devices, such as...
Replies
8
Views
890
Back
Top Bottom