Re: distributed nmap?

["Frasnelli, Dan" <dfrasnel () corewar com>]

> That sounds like a great idea, but it could backfire on Fyodor.
> The distributed method sounds alot like the DDoS tools that have
> gotten so much publicity.  Many people who do not understand nmap
> may consider this new feature a threat.

Done properly, it would not have to appear as such.  
For example.. a common tactic I use when probing a network 
is to open a few xterms with sessions on 3-4 boxes not in
the same netblock.  Each host has an nmap session queued up; 
each session has only a couple ports to scan.  

So on one, I might have 'nmap -sS -P0 -p 22,79 [ip]', 
the other might have 'nmap -sS -P0 -p 113,139 [ip]', etc. which 
are cron'd to run an hour or more apart.  Most nids do not offer 
trend analysis over that timespan (and with a major service
 provider with thousands of hits per second, this is impractical),
so the scan slips under the wire.  

Covert network discovery is largely a directed search - scans are done
for a limited set of services.  Script kiddies or someone doing a 
complete audit tend to scan the full range of ports.. more detectable
and depending on the number of hosts involved, a 'distributed attack'.
A slick distributed method could be useful.. but the implications of 
being like a ddos depends on the operator.
--
Dan Frasnelli
Security analyst