Nmap Announce mailing list archives
Re: Nmap and xlogmaster
From: HD Moore <hdmoore () usa net>
Date: Thu, 28 Jan 1999 23:03:00 -0600
I have been playing with scripts that scan incoming hosts as they connect and finally decided it is just a bad idea. Synflooding the host using a script like this could launch thousands of copies of nmap and make the machine come to a screeching halt. My latest attempt at this resulted in a system load of >45 the second I synflooded localhost to a listening port. A slighly more sane way to go about this is just run a couple simple checks on the host versus a full fleged portscan with nmap. A setup that works decently is creating lockfiles for each incoming hosts IP address, which would stop the same hosts (or 'unknown') from being scanned repeatedly. A cron script that removes these files after a certain interval (a day or so) would supplement this. Even if you are getting synflooded or scanned the script would only try to scan back if the 'unknown' lockfile didnt already exist, keeping your system from eating itself. The setup I am currently using does the usual safe_finger check, and RPC check, and finally a NetBIOS table dump for each incoming host, using the lockfile method for stopping repeated scans of the same host. Anyways, just some things I found from experience. HD
Current thread:
- Nmap and xlogmaster Erik Parker (Jan 28)
- Re: Nmap and xlogmaster Max Vision (Jan 28)
- Re: Nmap and xlogmaster Adam Shostack (Jan 28)
- Re: Nmap and xlogmaster Lamont Granquist (Jan 28)
- Re: Nmap and xlogmaster Erik Parker (Jan 28)
- Re: Nmap and xlogmaster HD Moore (Jan 28)
- Re: Nmap and xlogmaster Lamont Granquist (Jan 29)
- Re: Nmap and xlogmaster Steve Palmer (Jan 28)
- Re: Nmap and xlogmaster Lamont Granquist (Jan 29)
- Re: Nmap and xlogmaster Dave Dittrich (Jan 29)
- Re: Nmap and xlogmaster Max Vision (Jan 28)