Hi Mark,
That has not been our recent experience at the APS. Our PLCs (Koyo), VME, motor controllers and areaDetectors have no problems during shutdown periods at the APS when those scans occur. Can you list the specific devices that have problems for you?
Mark
Sent from my iPhone
> On Jan 23, 2018, at 5:32 PM, Mark Engbretson <[email protected]> wrote:
>
> For whatever it is worth, there are a large number of Ethernet devices that have to be manually reset at the APS when the network police run their various port scans - PLC systems, Area Detectors, Galil Ethernet motor controllers, whatever.
>
> Their docs also state clearly that such hardware is intended to be used on an isolated or protected network. I do not think that any software or hardware vendor is going to say their server implementations can 100% survive what is essentially a DOS attack.
>
> You used to be able to crash CA gateways or even VxWorks hardware even with valid packets if you had an ill-behaved application just performing non stop stupid requests that are never shut down correctly. You could overflow/fragment memory before zombie client cleanup routines get triggered.
>
> Decent packet validation software probably has real world big bucks applications.
>
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf Of Michael Davidsaver
> Sent: Tuesday, January 23, 2018 3:45 PM
> To: Hartman, Steven M. <[email protected]>; Benjamin Franksen <[email protected]>
> Cc: EPICS Tech Talk <[email protected]>
> Subject: Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request]
>
>> On 01/23/2018 10:54 AM, Hartman, Steven M. wrote:
>> Nonetheless, a malformed packet crashing a server would be considered in bug in the server implementation and should be fixed.
>
> I don't think anyone is going to argue that these sort of issues shouldn't be fixed.
> The problem is as usual a question of time and/or money. Actively finding and _fixing_ packet validation issues has never been a priority for anyone.
>
> FYI, if someone could spend time on this, a place to start might be:
>
> https://github.com/mdavidsaver/catvs
>
> which is a framework I started for verifying consistency between CA implementations. This works be constructing packets with a python script. It is straightforward to create invalid/corrupt messages.
>
> A test case for zero length PVs could be added here
>
> https://github.com/mdavidsaver/catvs/blob/master/catvs/server/test_search.py#L16
>
- References:
- Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Shuei YAMADA
- Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Ralph Lange
- Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] J. Lewis Muir
- Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Ralph Lange
- Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Benjamin Franksen
- Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Hartman, Steven M.
- Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Michael Davidsaver
- RE: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Mark Engbretson
- Navigate by Date:
- Prev:
Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] J. Lewis Muir
- Next:
Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Michael Davidsaver
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
<2018>
2019
2020
2021
2022
2023
2024
- Navigate by Thread:
- Prev:
Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] J. Lewis Muir
- Next:
Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] J. Lewis Muir
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
<2018>
2019
2020
2021
2022
2023
2024
|