Nmap Development mailing list archives
Re: Qscan in NSE: qscan.nse
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Fri, 9 Apr 2010 01:26:58 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 8 Apr 2010 23:51:08 +0000 Brandon Enright <bmenrigh () ucsd edu> wrote: [...]
QScan currently sends slowly and measures latency carefully one at a time. What if, instead it just blasted a constant stream of probes at many ports at once and used statistics of large numbers rather than "being careful" to factor out measurement jitter to classify ports? If the stddev is large then a larger N counteracts that. We could probably blast a large N worth of packets at ports much faster and get just as good (if not better) a confidence interval than we currently do by going slow to keep N small and the stddev small. I guess what I'm saying is, if we send 10 probes carefully we get one confidence interval. If we sends 100 probes very fast we get another. I *think* 100 will trump 10 even if the 100 are sent in less time than the 10.
Put more concretely, a normal confidence interval is: {mu - z[a/2] * (sigma/sqrt(n)), mu + z[a/2] * (sigma/sqrt(n))} Since mu and z[a/2] is the same on both sides for a given port and confidence interval, what matters is the sigma/sqrt(n) If that term increases the interval increases and vice versa. So, if we go from n = 10 to n = 100, sigma can increase by 3.1x. We also wouldn't need to bother with a t-dist with a larger n. So the question then becomes: Can we send 100+ probes quickly to many ports in parallel much faster than the time it currently takes us to send 10 probes serially while not increasing our measured stddev more than 3.1x? I think the answer is yes. I think the time needed is quite a bit less too. If this idea is worth considering we need to take data to see what happens to the stddev when qscanning quickly. Doug, I'm interested in your thoughts. Feel free to tell me why I'm being stupid :-) Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAku+gmgACgkQqaGPzAsl94JJ7ACfTHqekE7jOy7RwMokkYWM9gqG RYEAniLT7uvpnh0WnoylglkGfG1pPWIZ =Igv4 -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Qscan in NSE: qscan.nse Ron (Apr 08)
- Re: Qscan in NSE: qscan.nse Brandon Enright (Apr 08)
- Re: Qscan in NSE: qscan.nse Kris Katterjohn (Apr 08)
- Re: Qscan in NSE: qscan.nse Ron (Apr 08)
- Re: Qscan in NSE: qscan.nse Brandon Enright (Apr 08)
- Re: Qscan in NSE: qscan.nse Brandon Enright (Apr 08)
- Re: Qscan in NSE: qscan.nse Brandon Enright (Apr 14)
- Re: Qscan in NSE: qscan.nse Kris Katterjohn (Apr 15)
- Re: Qscan in NSE: qscan.nse David Fifield (Apr 21)
- Re: Qscan in NSE: qscan.nse doug (Apr 15)