Network scan tool/appliance horror stories

Mon Oct 29 20:55:19 UTC 2012

During scans at various times in the past (and depending on throttling and settings of that scan) we've seen:
1) small remote site firewalls doing site to site vpns drop a small number of packets
2) locally installed remote control service popup a 'user has been disconnected' error on PCs when port scanned
3) some devices send alerts like 'Unauthorized attempt to gain access' when their SNMP ports are hit with non-standard community strings
4) logging on some devices that causes concern for the admin of that device ("Is someone hacking my device?")
5) out of date/non-patched (yet critical) applications and/or web servers crashing/locking up (this occurred on specific nessus scans, not a generic port/snmp scan)
6) large stacks of 3750s (six or more members) have issues around CPU during certain SNMP commands (I want to say some sort of getbulk type of command)

The first four were pretty minor although #3 could generate a lot of calls to the support center.  #5 was a big deal due to the nature of the application.  #6 was impactful because we dropped routing neighbors for about 10 seconds but this was a couple of years ago so may have been an old IOS bug.

-----Original Message-----
From: Pedersen, Sean [mailto:Sean.Pedersen at usairways.com] 
Sent: Monday, October 29, 2012 12:11 PM
To: nanog at nanog.org
Subject: Network scan tool/appliance horror stories

We're evaluating several tools at the moment, and one vendor wants to dynamically scan our network to pick up hosts - SNMP, port-scans, WMI, the works. I was curious if anyone had any particularly gruesome horror stories of scanning tools run amok.