Security Basics mailing list archives
Re: nmap questions
From: Brad Arlt <arlt () cpsc ucalgary ca>
Date: Fri, 4 Jun 2004 13:30:27 -0600
On Fri, Jun 04, 2004 at 12:34:19AM -0500, Steven A. Fletcher wrote:
comes back with "Too many drops ... increasing senddelay" numerous times [...] problem. However, on larger networks, I do not wish to wait that long. Also, it happens on an internal network, so the problem does not appear to be that the hosts are behind a firewall.
TCP has within it the ability to respond negatively to requests (RST flag set in packets). UDP does not (it does not make sense to do so in all cases, so this is a good thing). The way a TCP/IP stack responds to "nothing is listening on this port" conditions is with an ICMP error packet. Solaris, Linux, and an increasing number of other OSes impliment what is called ICMP error rate limiting. The result is only a certain number of ICMP error messages are generated in a certain time interval. Linux or Solaris (I don't recall which) limits things to one error message every two seconds. And that means a port scan of 1500 ports (a number near nmap's default port count) will take 3000 seconds (probably a touch more). NMap knows this will happen, and tries to scan fast, and proceeds to scan slower and slower until it reaches a point where all its queries are answered - the optimal scan rate. You could go around and lower or remove the error rate throttle on each machine, but this isn't what you are trying to do (scanning lets you see the machine as it exists without you touching it). And the error rate limiting is a good thing from performance and network reliability stand-points. Plus it takes forever for people to scan the machine (normally a good thing). ----------------------------------------------------------------------- __o Bradley Arlt Security Team Lead _ \<_ arlt () cpsc ucalgary ca University Of Calgary (_)/(_) Las hojas de coca no es droga. Computer Science --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- nmap questions Steven A. Fletcher (Jun 04)
- Re: nmap questions Brad Arlt (Jun 05)
- Re: nmap questions Pho Man (Jun 07)