what trickery can nmap take 20 hours to scan 1 host!!

[Hari Sekhon <hpsekhon () googlemail com>]

I have run nmap against a host who was trying to do something funny to 
one of my machines

nmap -sS -P0 -O x.x.x.x -p-

Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-19 15:08 BST
Stats: 0:00:39 elapsed; 0 hosts completed (1 up), 1 undergoing SYN 
Stealth Scan
SYN Stealth Scan Timing: About 0.29% done
Stats: 4:21:06 elapsed; 0 hosts completed (1 up), 1 undergoing SYN 
Stealth Scan
SYN Stealth Scan Timing: About 11.75% done; ETC: 07:45 (14:39:55 remaining)
caught SIGINT signal, cleaning up

I have run tarpits and but here I am running a SYN scan so it's 
shouldn't catch it.
If I scan a host that doesn't exist on my local subnet like

 nmap -sS -P0 -O 192.168.x.x -p-

Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-19 18:22 BST
Nmap finished: 1 IP address (0 hosts up) scanned in 0.317 seconds

So it doesn't have any problem when the host doesn't respond, and if I 
have a tarpit, the ACK from the SYN scan is all it cares about and 
immediately moves on (I can scan 65535 ports on a tarpitted host in SYN 
mode instantly). So in a SYN scan, tarpit tricks don't work to make the 
originator keep retrying, so what is up with this remote host?

What can make nmap hang so badly that it would take nearly 20 hours to 
scan all the ports?
This must be some counter scan technology or something.

-h

-- 
Hari Sekhon


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org