Re: [NSE] external category anticipated load

[John Bond <john.r.bond () gmail com>]

On 21 April 2012 10:32, Fyodor <fyodor () insecure org> wrote:
> On Wed, Apr 18, 2012 at 11:50:57AM +0200, John Bond wrote:
> > I am have written a script which makes use of an external service.
> > The script would be a replacement/compliment to asn-query, targets-asn
> > and whois.  however there is  worry that the increased load would take
> > down the service.  in an effort to try and gauge this i wanted to ask
> > if there is anyone here who would be able to give a good estimate of
> > the number of requests one should expect to see from a script placed
> > in the safe, external and discovery category.
>
> Hi John.  It would certainly be interesting data, but we don't run any
> of the 'external' services ourselves and so we don't have it.  You
> could try asking the providers of some of the other 'external'
> scripts.
>
> I doubt the load will be all that high, but it could be material if
> the service requires a lot of resources per lookup to fulfill it's
> function.  Also, if the service is getting overloaded by queries from
> Nmap and they aren't happy about it, we could remove the script from
> future versions of Nmap and move it to our "script vault".  I imagine
> that those scripts only get a tiny fraction of the usage seen by the
> ones which ship with Nmap.
>
> > Another concern raised by the service provider was that they would
> > have a record of everyone nmap user that used there service (i.e. web
> > logs).  Is this a genuine worry, has it come up before for other
> > external services?
>
> That is definitely a concern, and it is why we require that scripts
> like this be in the "external" category.  That way, if folks want to
> avoid this information leak, they can do thing like "--script
> 'discovery and not external'".  In most cases, I think the privacy
> risk is mild compared to much of our other common Internet activity.
> But for particularly sensitive scans, it might matter.
>
> > Finally the service provider would want to include, in the output, a
> > line stating that the results were provided by them.  Would this be
> > acceptable?
>
> We wouldn't want advertising, but it's possible that this could be
> structured so that it meets the company's goals and is actually useful
> to Nmap users too.  After all, it is often important to know the
> source of your data.  Of course we always include the data source in
> the NSEDoc information.  Mentioning the data source in the output,
> especially if it only takes an extra word or two, might be reasonable.
> Also, for some scripts, the name of the data source is included in the
> NSE script name itself.
>
> Of course, to evaluate a new script like this, we'd have to see what
> benefits it offers over the existing asn-query, targets-asn, and
> whois.
Thanks for the feedback
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/