Nmap Development mailing list archives
[patch] nmap-3.78: defeat ICMP rate limit, max_retransmissions and others
From: Martin Mačok <martin.macok () underground cz>
Date: Tue, 21 Dec 2004 16:13:25 +0100
I have attached 4 patches against nmap-3.78: nmap-3.78-cosmetics.patch - various cosmetic fixes, no need to comment nmap-3.78-defeat_ICMP_ratelimit.patch - basically, it avoids adjusting host timing variables (RTT & # of retransmissions) for ICMP DU in those scantypes that don't need to catch them all anyway. The reason for this is that ICMP DU could be rate-limited (which is recommended by RFC1812 and common in wildlife, fe. iptables -j REJECT). Without this patch, scanning through REJECT firewalls is MUCH slower than against firewalls with DROP policy (!). (Note, -sT is still much slower in those cases, see the last patch too) - this is an updated version of the patch discussed in "nmap-3.55 faster than nmap-3.7x" thread, but should save some CPU cycles and make the code more readable too (I have tested all -sSUFX this time, seems working to me now) nmap-3.78-option-max_retransmissions.patch - this lowers maximum retransmissions (12->9) by default and limits them even harder for -T4 (->4) and -T5 (->2). In other words, nmap now does not send more than 10 probes to a single port by default. - this is also configurable through --max_retransmissions - updated since previous: lowest value is 1 because "excessive drops -> BoostScanDelay" mechanism does not seem to work well with 0 retransmissions. (TODO?) - TODO: make it to the manpage nmap-3.78-CONNECT-closedfiltered.patch - Change "closed" in -sT to "connect|filtered" because connect() raises ECONNREFUSED not just for RST but for ICMP DU/PU too. This way it is consistent with other types of scan (like -sS) - This raises a question: Shouldn't we try to differentiate "drop" (no response) versus "reject" (ICMP DU) instead of making it both "filtered"? Maybe an option to specify if the old "filtered" is enough or nmap should try to get "dropped" or "rejected" (which would be slower, see defeat_ICMP_ratelimit.patch)? This way, -sT would return "closed|rejected" instead of "closed|filtered" which sounds better to me ... I'm interested in all comments. Thank you. Martin Mačok IT Security Consultant
Attachment:
nmap-3.78-CONNECT-closedfiltered.patch
Description:
Attachment:
nmap-3.78-cosmetics.patch
Description:
Attachment:
nmap-3.78-defeat_ICMP_ratelimit.patch
Description:
Attachment:
nmap-3.78-option-max_retransmissions.patch
Description:
--------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- [patch] nmap-3.78: defeat ICMP rate limit, max_retransmissions and others Martin Mačok (Dec 21)