Re: Nmap and xlogmaster

[HD Moore <hdmoore () usa net>]

I have been playing with scripts that scan incoming hosts as they
connect and finally decided it is just a bad idea.  Synflooding the host
using a script like this could launch thousands of copies of nmap and
make the machine come to a screeching halt.  My latest attempt at this
resulted in a system load of >45 the second I synflooded localhost to a
listening port. A slighly more sane way to go about this is just run a
couple simple checks on the host versus a full fleged portscan with
nmap.  A setup that works decently is creating lockfiles for each
incoming hosts IP address, which would stop the same hosts  (or
'unknown') from being scanned repeatedly.  A cron script that removes
these files after a certain interval (a day or so) would supplement
this.  Even if you are getting synflooded or scanned the script would
only try to scan back if the 'unknown' lockfile didnt already exist,
keeping your system from eating itself.  The setup I am currently using
does the usual safe_finger check, and RPC check, and finally a NetBIOS
table dump for each incoming host, using the lockfile method for
stopping repeated scans of the same host. Anyways, just some things I
found from experience.


HD