Nmap Development mailing list archives
Re: some nmap tools
From: MadHat <madhat () unspecific com>
Date: Sun, 7 Dec 2003 18:03:14 -0600
On Dec 7, 2003, at 8:04 AM, Bo Cato wrote:
That's very interesting. 80k ethernet based machines to keep tabs on seems like a daunting task.
80K IPs assigned by Arin and such. Of those ~25% of them respond when probed with nmap.
You said you do it from a single host. I don't know what your resources are obviously, but would it not be much more efficient to decentralize this? I would think that even if you only deployed your script / nmap solution to 3 more areas the network congestion on the LAN (routers, switches, firewalls, etc) you are centralized from would be significantly less as well as cutting the scan time down. Of course you'd have to have a means to gather the reports and consolidate but that's trivial. You may have all the bandwidth you need but typically this is not the case. If you have the access to the resources to deploy a total of 4 scanning sites, one would think that 4 x 32 would be quicker and less network intensive to any one path than 1 x 32. The key would be to make sure the scan sites don't overlap hops.
I was handed a box that was supposed to be doing this but not working too well. At the time I was not given any additional resources and was told to make do with what I had. I do have some goals to be able to scan from separate hosts. These IPs are actually spread across several data centers around the world, and eventually I will have a scanning host in each data center, but I had to prove that it was worth the time and money first.
I'm curious as to how much additional load/congestion 32 parallelized (that a word?) scans place on your centralized scan point's LAN. If it's of any real significance I image you have scheduled the scan to begin and end during the least impactful 10 hour time frame... 9 PM - 7 AM for example depending on what time is prime time for the LAN the scan is originating from.
I have the bandwidth and the box itself is not overly loaded by this. I was lucky enough to get the box upgraded recently to a 2.6GHz (I think) x86 with 1Gb RAM. I am running FreeBSD (4.8) and it seems to hold up quite well. I was running on a <1G with 512Mb RAM and it was working ok, still taking about the same amount of time, which lead me to believe the issue was more network restraints and less hardware, but who is going to turn down new hardware.
Because the boxes are spread all over the world, there isn't a best time to run it, so I just do it in the middle of the night for the scanning box.
I am also re evaluating how I am doing some things after discussing it with Fyodor. Specifically how I can get more out of nmap's process parallelization and not have to do so much myself.
I am also looking at how I store the data. As I mentioned before I have looked at the nmapsql, but the database design does not scale well for my needs and if I am spreading the nmap processes out to multiple hosts anyway, I don't want them writing directly to the DB. The hosts will not have access to the core server, but the core server will have access to the scanning hosts. Also with the DB design, from the last time I looked at it, it did not allow for Version scanning and I plan on adding that is very soon. I am presently tweaking the nmap-service-probes for my needs and environment.
I'm sure you've discussed this with fyodor already. I only mention it out of curiosity. -b ------------------- Hello MadHat, Saturday, December 6, 2003, 10:16:15 PM, you wrote: M> I have the responsibility of monitoring a large number of IPs forM> security issues. One of the most important things for me was to know M> what was listening where and of course nmap is the only real solution. M> The problem was that my boss wanted me to be able to generate a reportM> of how many new ports were opened in the last 24 hours, how many new M> hosts in the past 24 hours, or even how many hosts we have live that M> are Internet facing or web servers, etc... -<snip>-
---------------------------------------------------------------------For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- some nmap tools MadHat (Dec 06)
- Re: some nmap tools Bo Cato (Dec 07)
- Re: some nmap tools MadHat (Dec 07)
- RE: some nmap tools Hasnain Atique (Dec 07)
- Re: some nmap tools MadHat (Dec 07)
- RE: some nmap tools Hasnain Atique (Dec 08)
- Re: some nmap tools MadHat (Dec 07)
- Re: some nmap tools Bo Cato (Dec 07)
- <Possible follow-ups>
- Re: some nmap tools testic+testic (Dec 07)
- Re: some nmap tools Akbar Ali (Dec 07)
- Re: some nmap tools Tristan Seligmann (Dec 09)
- Re: some nmap tools MadHat (Dec 09)