DDOSing my network


I received a free trial of the CENO appliance from the sales department to test on my network.

I first configured and ran a scan on a Data Center that has around 200 hosts. Upon initiation of the scan, my network team pinged me saying that there was significant packet loss occurring across the network that I targeted with the scan.

I contacted the technical support team who informed me that the issue was being caused by the amount of hosts that I was attempting to scan. I then cut my target list down by subnets which would only have a maximum of 20 hosts active during the scan. The DDOSing issue still persisted.

Here is a screen cap of the scan settings:

Here is the second scan I ran with less hosts per scan and less targets:

This is the report from the traffic monitor showing the packet loss as a result of the scan above:

It is very unlikely that the Scan-Traffic of the Appliance is performing a dDoS due to packet amount or bandwidth.

Most likely you have a IDS / IPS / firewall solution in place, that is blocking packets due to a mis-configuration of your network security.

Do you have any firewalls in place ?

What is your alive criteria ?

A discovery scan is not trying and vulnerabilities, so it is extremely unlikely.

If your environment is not port-scan resilient you have a bigger problem.

1 Like

So for the VLAN 150 scan, the appliance is installed inside of our firewall so the internal traffic would not be being filtered by the IDS IPS or firewall rules.

On the monitoring software we have in-place, we can see CENO connecting to/sending traffic to each of the listed targets but for some reason, CENO is choking up the lines and forcing other traffic to drop as a result

That is technical not possible, to force traffic to drop you need to fill the bandwidth of the Ethernet or run a one to many amplification attack and with one node, you simply can no do that. I suggest you investigate the technical reason why your monitoring software run wild with something like a simple port-scan. A GVM can not force other traffic to drop.

This increased ping/dropping packet discrepancy was not an issue when we scanned all of our data centers while testing Greenbone Community edition. We have also previously scanned all our networks with tenable.io and never had any traffic issues. The issues only occur while actively scanning with CENO.

The network reacts as if a one-to-many amplification attack is occurring just as you described

If you run a discovery job, there is no difference… i think you have a issue with your virtual networking, deployment or your network. I would start over and install the CENO again on a clean system. With a dedicated LAN port to your network.

Then you can “one” host and see what happens … and later expand it …

You can run a tcpdump as well to see what happens in detail.

Ok, thank you for the advice, I will try this again. My example screen shots came from the two tests I ran with two different instances of fresh-install demo CENO OVAs. One outside of the target network and one inside of the target network.

Just for clarification, the second example scan that I posted was not a discovery scan. The discovery scans did not result in the same level of ping spikes as the ‘Full and fast’ configurations did. The second example was from the CENO that was installed and initiated from inside the firewall of the target network while limiting max host connections as well as concurrent NVT tests. Also, the tests I ran on the community edition were also utilizing the ‘Full and fast’ scan configuration with no limits on target list, max host connections, or NVTs.