[patch] nmap-3.78: defeat ICMP rate limit, max_retransmissions and others

[Martin Mačok <martin.macok () underground cz>]

I have attached 4 patches against nmap-3.78:

nmap-3.78-cosmetics.patch
 - various cosmetic fixes, no need to comment

nmap-3.78-defeat_ICMP_ratelimit.patch
 - basically, it avoids adjusting host timing variables (RTT
   & # of retransmissions) for ICMP DU in those scantypes that don't
   need to catch them all anyway. The reason for this is that ICMP DU
   could be rate-limited (which is recommended by RFC1812 and common
   in wildlife, fe. iptables -j REJECT).
   Without this patch, scanning through REJECT firewalls is MUCH slower
   than against firewalls with DROP policy (!). (Note, -sT is still
   much slower in those cases, see the last patch too)
 - this is an updated version of the patch discussed in
   "nmap-3.55 faster than nmap-3.7x" thread, but should save
   some CPU cycles and make the code more readable too
   (I have tested all -sSUFX this time, seems working to me now)

nmap-3.78-option-max_retransmissions.patch
 - this lowers maximum retransmissions (12->9) by default and limits
   them even harder for -T4 (->4) and -T5 (->2). In other words, nmap
   now does not send more than 10 probes to a single port by default.
 - this is also configurable through --max_retransmissions
 - updated since previous: lowest value is 1 because "excessive drops ->
   BoostScanDelay" mechanism does not seem to work well with
   0 retransmissions. (TODO?)
 - TODO: make it to the manpage

nmap-3.78-CONNECT-closedfiltered.patch
 - Change "closed" in -sT to "connect|filtered" because connect()
   raises ECONNREFUSED not just for RST but for ICMP DU/PU too. This
   way it is consistent with other types of scan (like -sS)
 - This raises a question:
   Shouldn't we try to differentiate "drop" (no response) versus
   "reject" (ICMP DU) instead of making it both "filtered"?
   Maybe an option to specify if the old "filtered" is enough or nmap
   should try to get "dropped" or "rejected" (which would be slower,
   see defeat_ICMP_ratelimit.patch)?
   This way, -sT would return "closed|rejected" instead of
   "closed|filtered" which sounds better to me ...

I'm interested in all comments. Thank you.
   
Martin Mačok
IT Security Consultant

Attachment: nmap-3.78-CONNECT-closedfiltered.patch
Description:

Attachment: nmap-3.78-cosmetics.patch
Description:

Attachment: nmap-3.78-defeat_ICMP_ratelimit.patch
Description:

Attachment: nmap-3.78-option-max_retransmissions.patch
Description:

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org