Re: Pull Request: Host Discovery: Ignore TCP RST #1616

[Gordon Fyodor Lyon <fyodor () nmap org>]

On Mon, Jun 3, 2019 at 8:24 AM Tom Sellers <nmap () fadedcode net> wrote:

> All,
>    Since not everyone checks GitHub PRs I'm CCing this PR to the list.


Hi Tom.  Thanks for the patch!  My only concern is whether TCP host
discovery probes still provide much value if you are ignoring the RST
responses.  By default we use an ACK for TCP host discovery and that almost
always relies on RST packets to find up hosts.  Maybe there are some corner
cases like certain ICMP responses straight from the host that we might
still use to consider it up, but I think that's pretty rare.  Of course you
could also choose SYN host discovery (like in the scanme example you gave)
and if the discovery port is actually open you would get a SYN|ACK.  But
still, a RST is still the most common way that SYN host discovery finds
available hosts.

Since I imagine you folks wrote this for a specific use case, maybe you can
check whether you use case can be met roughly as well by just skipping TCP
host discovery for these type of scans and just using ICMP and/or UDP
probes?  That way you aren't sending time sending probes and then almost
always ignoring the responses.  Or maybe, given the behavior of the network
you are scanning, you still do want to send the probes?  In this case are
you sending SYN probes or other TCP probes, and what non-RST responses are
you hoping to catch?

If we do put in this option, it will have to be documented in the man page
and we should probably note there that omitting the TCP discovery probes is
often a better approach than ignoring most of the responses.

Thanks!
-Fyodor

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/