solaris rate-limiting RST,ACK (SYN scan)

[Martin Mačok <martin.macok () underground cz>]

Today, I have come around Solaris 9 box which rate-limits RST,ACK
packets (response to SYN probe against closed port). SYN,ACK packets
are NOT rate-limited. The box should be in default setup (no firewall,
no special tuning).

This leads to a very slow portscanning even on a local network (though
limiting retransmittions and max scan delay helps a bit but leads to
many closed ports/other filtered in the result).

My idea to fix this is implementing an optional SYN scan variant that
(1) does not distinguish between closed and filtered ports and (2) do
not change timing/retrans values when (not) getting RST,ACK (late or
if ever). Ie. it would just catch open ports and report others as
"closed|filtered". Something like "-sS --find_open_ports_only" ...

Any comments?

Martin Mačok
ICT Security Consultant

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org