Re: [Branch] --ignore-after

[Daniel Miller <bonsaiviking () gmail com>]

On Mon, Aug 18, 2014 at 7:30 AM, Jay Bosamiya <jaybosamiya () gmail com> wrote:

> On Sunday 17 August 2014 11:41 AM, Fyodor wrote:
> > Here it is only 3 days later and I'm already second guessing myself
> > :).  I'm starting to think that "50%,80" would be better for -T4.
> >  That way, for -F, we'd only ignore if at least 80 ports were open.
> >  And for a default (1,000 port) scan, we'd only skip if 500 or more
> > were open.  I think 500 open ports out of 1,000 is not a normal system
> > and doing version detection and NSE against all those will likely
> > waste a lot of time.
> >
> > For -T5, maybe a "40%,60" threshold would be good.
> >
> > Right now, in the nmap-exp branch, -T4 gives "90%,90" and -T5 gives
> > "80%,80".  This means, even with -T5, an all-ports scan ("-p-") would
> > require 52,428 open ports before bailing.  With "40%,60", we could
> > quit sooner--after 26,214 open ports found.  And for a default (ports)
> > scan, we could move on after 400 open instead of waiting for 800.
> >
> > Cheers,
> > Fyodor
> I've been confused about the constants ever since I initially put them
> in. Over time, I've been wanting to keep reducing the constants.
>
> I think that the only way we are going to be able to decide on good
> values is if we can decide upon what is the "normal" number of open
> ports and what is not.
>
> For the min open ports (the num part of "per%,num"), I think that 80 for
> -T4 and 60 for -T5 makes sense. However, I'd suggest dropping the
> percentage part even further.
>
> For a default scan (1000 port), more than 100 open ports is not "normal"
> IMHO. When we go into all-ports scan, waiting even until 26,214 too
> seems unneeded. I've yet to come across a "normal" system with more than
> 50 open ports. However, people who've been using Nmap for longer than I
> have might be able to give a better insight into this.
>
> Currently, I propose -T4 = "10%,80", -T5 = "5%,60"
> This would work this way
>
>         Number of ports scanned
>         Number of ports after which to ignore (for -T4)
>         Number of ports after which to ignore (for -T5)
> Fast scan "-F"
>         100
>         80
>         60
> Default Scan
>         1000
>         100
>         60
> All port scan "-p-"
>         65,535
>         6,554
>         3,277
>
>
> What do you all think?
>
> Cheers,
> Jay
I'm just now realizing that an idea I had early on got dropped. I think it
might solve a bit of this problem, so I'll elaborate again:

First, consider the problem of the -p- scan (or any other large scan). With
a default -T5 of 10%,60 (numbers don't matter at this point, but this is a
likely starting place), your algorithm would need to scan 6554 open ports
before it decided to bail on the scan. That's a lot of wasted effort, and
that's why you are suggesting lower and lower percentage values (we started
with 80% and 90%, if you remember).

Instead, I propose that the percentage calculation be done over the *number
of ports scanned so far* as opposed to the *total number of ports intended
to be scanned*. This would probably require an extra variable to be kept
around for each host, but that's negligible. This would allow a default
like 90%,90 to scan at minimum 90 ports regardless of scan size. What
happens on a host that reports every port as open is this: as soon as the
90th port is found open, the percentage calculation is done. 90/90 ports
are open, which is 100% > 90%, so the host is ignored. The purpose of
setting a percentage less than 100% is to allow for some dropped packets at
the higher timing levels.

I believe this method would allow for earlier ignoring while still keeping
with the spirit of detecting portspoof hosts. It also simplifies the
discussion of defaults; no matter how many ports are scanned, the ignore
decision gets made at the same point in the scan (immediately after the n+1
port is scanned).

We would need to decide what it means when a user does --ignore-after 50 (I
think this would be the same as 50,0%; that is, 50 open ports regardless of
how many closed/filtered ports) or --ignore-after 70% (probably the same as
70%,.7*total_ports; this is equivalent to -F --ignore-after 70%,70 or -p-
--ignore-after 70%,45875 for the default scan).

Thoughts?

Dan
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/