Re: nse crypto

[David Fifield <david () bamsoftware com>]

On Tue, Mar 15, 2011 at 01:31:21AM +0200, Toni Ruottu wrote:
> On 15 Mar 2011 00:04, "David Fifield" <david () bamsoftware com> wrote:
> > On Sun, Mar 13, 2011 at 10:15:43PM +0200, Toni Ruottu wrote:
> > > Do we conclude that we need to do performance testing on the nping
> > > server to see how well it performs in regular cases? And then we may
> > > or may not find the reason why the brute force script is so slow.
> >
> > It can be traced to these lines in EchoServer.cc:
> >
> > /* Start the nsock loop. This never returns. Server quits on CTRL-C */
> > nsock_timer_create(nsp, empty_handler, 1000, NULL);
> > loopret=nsock_loop(nsp, 1000);
> >
> > Though the comment says it never returns, this actually runs once a
> > second. Only one connection is accepted per time that this code runs.
> > Reducing the nsock_loop value to 200 allows 5 password guesses per
> > second, for example.
>
> What amount should we target. A high value might be good for protecting
> against brute force password cracking, but does it also hinder performance
> in regular use?

I'm not suggesting that we change the nsock_loop timeout. My guess is
that the way it works now is unintentional (because the comment doesn't
match the code), but the fact that it only allows one password guess per
second could be regarded as a feature. It does mean that when connecting
normally, you could be delayed up to a second.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/