CPU load on the target server caused by the scan

Hey, guys,
I had problems while running some authenticated (SSH port 22) scan against internal network assets.
I did run the latest version of GVM with the most updated feed against a list of 45 Linux IPs and in less than 3 minutes, biggest part of that Linux VM’s running in a VMware Hypervisor suddenly froze, crashed and stopped its services. In an evaluation, we saw that all VMs had CPU and processing increased until 100% after GVM scan start.
I did run the scan considering almost all default configurations, such as “Scanner = OpenVAS Default”, “Scan Config = Full and fast”, “Maximum concurrently executed NVTs per host = 4”, “Maximum concurrently scanned hosts = 20”, “All IANA assigned TCP ports” and “Alive test = Scan Config Default”.
I read somewhere that maybe decreasing the maximum concurrently NVTs per host to 1, would go better but I’m trying to understand if I really need to do anything else to avoid crashing the target.
Do you have any useful information to help?

Additionaly, while analyzing logs from a single target that was scanned, we saw tons of attempts of connection coming from Kali VM which was running the GVM (See attachment - svc_secs was the service user for the authenticated scan).
2022-09-18 21_23_22-Window

Thanks all!

Did you limit the TCP port-range to 22 (ssh) only ? If not and you use the default values ports to scan them, that could explain the connections.

1 Like

Thanks @Lukas!
How can I do it? I’m not sure if I lost something while configuring, so probably I followed the default settings on this topic, too.
I did a new test setting NVTs check to 1 and the load on the target server has decreased, also there was no downtime on the target, which is quite good. We’ll try it again considering NVTs equal 2, in order to keep impact as low as possible and speed the scan a little bit (NVT = 1 made my scan run during almost 3 hours in a single server until conclusion).

You need to define a new portlist with only TCP 22, please check our find documentation how to do that.