Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: nmap questions

From: Brad Arlt <arlt () cpsc ucalgary ca>
Date: Fri, 4 Jun 2004 13:30:27 -0600
On Fri, Jun 04, 2004 at 12:34:19AM -0500, Steven A. Fletcher wrote:

comes back with "Too many drops ... increasing senddelay" numerous times
[...]
problem.  However, on larger networks, I do not wish to wait that long.
Also, it happens on an internal network, so the problem does not appear
to be that the hosts are behind a firewall.


TCP has within it the ability to respond negatively to requests (RST
flag set in packets).  UDP does not (it does not make sense to do so
in all cases, so this is a good thing).  The way a TCP/IP stack
responds to "nothing is listening on this port" conditions is with an
ICMP error packet.

Solaris, Linux, and an increasing number of other OSes impliment what
is called ICMP error rate limiting.  The result is only a certain
number of ICMP error messages are generated in a certain time
interval.  Linux or Solaris (I don't recall which) limits things to
one error message every two seconds.  And that means a port scan of
1500 ports (a number near nmap's default port count) will take 3000
seconds (probably a touch more).  NMap knows this will happen, and
tries to scan fast, and proceeds to scan slower and slower until it
reaches a point where all its queries are answered - the optimal scan
rate.

You could go around and lower or remove the error rate throttle on
each machine, but this isn't what you are trying to do (scanning lets
you see the machine as it exists without you touching it).  And the
error rate limiting is a good thing from performance and network
reliability stand-points.  Plus it takes forever for people to scan
the machine (normally a good thing).
-----------------------------------------------------------------------
   __o          Bradley Arlt                    Security Team Lead
 _ \<_          arlt () cpsc ucalgary ca                University Of Calgary
(_)/(_)         Las hojas de coca no es droga.  Computer Science

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: