Troubleshooting
Problem
A port vulnerability scanner is an application designed to probe a server or host for open ports. Most scanners run for a period of time, assessing open ports on a host and then producing a report to identify potential security compromises on the enterprise systems scanned to the end user.
Scanners were previously known to cause issues for all ITM applications; specifically, the component would stall.
Scanners were previously known to cause issues for all ITM applications; specifically, the component would stall.
Symptom
Port scanners typically establish multiple connections in order to run various tests designed to detect security vulnerabilities.
During a scan, messages such as the following are typically written to the ITM application's RAS log:
(612E1A14.0004-30:kdebbrx.c,44,"KDEB_BaseReceive") Status 1DE0000B=KDE1_STC_DISCONNECTED=104: Connection reset by peer
(612E1A14.0005-30:kdebbtx.c,47,"KDEB_BaseTransmit") Status 1DE0000B=KDE1_STC_DISCONNECTED=32: Broken pipe
(612E1A14.0006-30:kdebeal.c,81,"ssl_provider_open") GSKit error 410: GSK_ERROR_BAD_MESSAGE - errno 32
(612E1A14.0046-60:kdebp0r.c,240,"receive_pipe") Status 1DE00074=KDE1_STC_DATASTREAMINTEGRITYLOST
(612E1A14.0047-60:kdeprxi.c,82,"KDEP_ReceiveXID") Status 1DE0003C=KDE1_STC_RECEIVEXIDFAILURE
The presence of many such messages occurring within a few minutes is usually an indication that a port scan ran at that time.
Following a port scan, the ITM application may cease to operate normally and appear to be stalled.
At that time, a netstat report will likely indicate that one or more connections to that component have a high and increasing TCP Receive Queue size.
During a scan, messages such as the following are typically written to the ITM application's RAS log:
(612E1A14.0004-30:kdebbrx.c,44,"KDEB_BaseReceive") Status 1DE0000B=KDE1_STC_DISCONNECTED=104: Connection reset by peer
(612E1A14.0005-30:kdebbtx.c,47,"KDEB_BaseTransmit") Status 1DE0000B=KDE1_STC_DISCONNECTED=32: Broken pipe
(612E1A14.0006-30:kdebeal.c,81,"ssl_provider_open") GSKit error 410: GSK_ERROR_BAD_MESSAGE - errno 32
(612E1A14.0046-60:kdebp0r.c,240,"receive_pipe") Status 1DE00074=KDE1_STC_DATASTREAMINTEGRITYLOST
(612E1A14.0047-60:kdeprxi.c,82,"KDEP_ReceiveXID") Status 1DE0003C=KDE1_STC_RECEIVEXIDFAILURE
The presence of many such messages occurring within a few minutes is usually an indication that a port scan ran at that time.
Following a port scan, the ITM application may cease to operate normally and appear to be stalled.
At that time, a netstat report will likely indicate that one or more connections to that component have a high and increasing TCP Receive Queue size.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSTFXA","label":"Tivoli Monitoring"},"ARM Category":[{"code":"a8m500000008bhEAAQ","label":"Agents - Generic Category-\u003EAgent Communication (KDE\/KDC)"},{"code":"a8m500000008bqVAAQ","label":"Communication (KDE\/KDC\/KLB\/KLX)-\u003ETEMS Related"},{"code":"a8m500000008bokAAA","label":"Security-\u003EVulnerabilities"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Log InLog in to view more of this document
This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.
Was this topic helpful?
Document Information
Modified date:
10 July 2024
UID
ibm16495891