Nmap Development mailing list archives

Re: Qscan in NSE: qscan.nse

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Fri, 9 Apr 2010 01:26:58 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 8 Apr 2010 23:51:08 +0000
Brandon Enright <bmenrigh () ucsd edu> wrote:
[...]


QScan currently sends slowly and measures latency carefully one at a
time.  What if, instead it just blasted a constant stream of probes at
many ports at once and used statistics of large numbers rather than
"being careful" to factor out measurement jitter to classify ports?

If the stddev is large then a larger N counteracts that.  We could
probably blast a large N worth of packets at ports much faster and get
just as good (if not better) a confidence interval than we currently
do by going slow to keep N small and the stddev small.

I guess what I'm saying is, if we send 10 probes carefully we get one
confidence interval.  If we sends 100 probes very fast we get another.
I *think* 100 will trump 10 even if the 100 are sent in less time than
the 10.


Put more concretely, a normal confidence interval is:

{mu - z[a/2] * (sigma/sqrt(n)), mu + z[a/2] * (sigma/sqrt(n))}

Since mu and z[a/2] is the same on both sides for a given port and
confidence interval, what matters is the sigma/sqrt(n)

If that term increases the interval increases and vice versa.

So, if we go from n = 10 to n = 100, sigma can increase by 3.1x.  We
also wouldn't need to bother with a t-dist with a larger n.

So the question then becomes:

Can we send 100+ probes quickly to many ports in parallel much
faster than the time it currently takes us to send 10 probes serially
while not increasing our measured stddev more than 3.1x?  I think the
answer is yes.  I think the time needed is quite a bit less too.

If this idea is worth considering we need to take data to see what
happens to the stddev when qscanning quickly.

Doug, I'm interested in your thoughts.  Feel free to tell me why I'm
being stupid :-)

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAku+gmgACgkQqaGPzAsl94JJ7ACfTHqekE7jOy7RwMokkYWM9gqG
RYEAniLT7uvpnh0WnoylglkGfG1pPWIZ
=Igv4
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: Qscan in NSE: qscan.nse Ron (Apr 08)
- Re: Qscan in NSE: qscan.nse Brandon Enright (Apr 08)
- Re: Qscan in NSE: qscan.nse Kris Katterjohn (Apr 08)
  - Re: Qscan in NSE: qscan.nse Ron (Apr 08)
  - Re: Qscan in NSE: qscan.nse Brandon Enright (Apr 08)
    - Re: Qscan in NSE: qscan.nse Brandon Enright (Apr 08)
    - Re: Qscan in NSE: qscan.nse Brandon Enright (Apr 14)
    - Re: Qscan in NSE: qscan.nse Kris Katterjohn (Apr 15)
    - Re: Qscan in NSE: qscan.nse David Fifield (Apr 21)
    - Re: Qscan in NSE: qscan.nse doug (Apr 15)