Argonne National Laboratory

Experimental Physics and
Industrial Control System

1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <20182019  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <20182019 
<== Date ==> <== Thread ==>

Subject: RE: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request]
From: "Mark Engbretson" <engbretson@anl.gov>
To: "'Michael Davidsaver'" <mdavidsaver@gmail.com>, "'Hartman, Steven M.'" <hartmansm@ornl.gov>, "'Benjamin Franksen'" <benjamin.franksen@helmholtz-berlin.de>
Cc: 'EPICS Tech Talk' <tech-talk@aps.anl.gov>
Date: Tue, 23 Jan 2018 17:32:08 -0600
For whatever it is worth, there are a large number of Ethernet devices that have to be manually reset at the APS when the network police run their various port scans - PLC systems, Area Detectors, Galil Ethernet motor controllers, whatever.   

Their docs also state clearly that such hardware is intended to be used on an isolated or protected network. I do not think that any software or hardware vendor is going to say their server implementations can 100% survive what is essentially a DOS attack. 

You used to be able to crash CA gateways or even VxWorks hardware even with valid packets if you had an ill-behaved application just performing non stop stupid requests that are never shut down correctly. You could overflow/fragment memory before zombie client cleanup routines get triggered.

Decent packet validation software probably has real world big bucks  applications.

-----Original Message-----
From: tech-talk-bounces@aps.anl.gov [mailto:tech-talk-bounces@aps.anl.gov] On Behalf Of Michael Davidsaver
Sent: Tuesday, January 23, 2018 3:45 PM
To: Hartman, Steven M. <hartmansm@ornl.gov>; Benjamin Franksen <benjamin.franksen@helmholtz-berlin.de>
Cc: EPICS Tech Talk <tech-talk@aps.anl.gov>
Subject: Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request]

On 01/23/2018 10:54 AM, Hartman, Steven M. wrote:
> Nonetheless, a malformed packet crashing a server would be considered in bug in the server implementation and should be fixed. 

I don't think anyone is going to argue that these sort of issues shouldn't be fixed.
The problem is as usual a question of time and/or money.  Actively finding and _fixing_ packet validation issues has never been a priority for anyone.

FYI, if someone could spend time on this, a place to start might be:

https://github.com/mdavidsaver/catvs

which is a framework I started for verifying consistency between CA implementations.  This works be constructing packets with a python script.  It is straightforward to create invalid/corrupt messages.

A test case for zero length PVs could be added here

https://github.com/mdavidsaver/catvs/blob/master/catvs/server/test_search.py#L16


Replies:
Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] J. Lewis Muir
Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Mark Rivers
References:
Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Shuei YAMADA
Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Ralph Lange
Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] J. Lewis Muir
Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Ralph Lange
Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Benjamin Franksen
Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Hartman, Steven M.
Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Michael Davidsaver

Navigate by Date:
Prev: Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Michael Davidsaver
Next: Modbus Device Support for Advantech ADAM6050? Maren Purves
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <20182019 
Navigate by Thread:
Prev: Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Michael Davidsaver
Next: Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] J. Lewis Muir
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <20182019 
ANJ, 24 Jan 2018 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·