Re: [updated patch] Re: fragment scan got broken between 3.50 and 3.75

[Martin Mačok <martin.macok () underground cz>]

On Sun, Jan 30, 2005 at 08:03:30PM -0800, Fyodor wrote:

> CONNECT-closedflitered - I'm not sure how common this API response is
>                          among platforms and it may confuse users.

OK, I will test it on other OS's and if all behaves the same, I will
push this patch again.

> defeat_ICMP_ratelimit - This will certainly speed things up, but there
>                         is a risk of decreasing accuracy.

1) Nmap-3.7x with this patch is not less accurate than stock Nmap-3.5x

2) Nmap-3.7x without this patch is too much slow against ratelimited
   ICMP DU (1 port costs 1 second), Nmap-3.5x is fast (in my opinion,
   Nmap-3.7x is almost unusable because of this behaviour - it is
   *seconds* with 3.5x versus *hours* with 3.7x while getting the same
   results in both cases)

3) ratelimited ICMP DU is common (almost every TCP/IP stack except of
   Microsoft Windows implements it) and RFC-recommended behaviour

I don't see the risk and even if there theoretically is, that kind of
slowness is not worth it IMHO.

I could implement something along "--do_not_defeat_ICMP_ratelimit"
though...

> detect_TARPIT - This is a very cool technique, but I'm not sure it
>   belongs in the core distribution.  For example, sometimes you might
>   want to scan tarpits.

Then you would use -P0 or -PU, -PE, -PP, -PM ... because only -PS or
-PA detects tarpit (and only when it runs against tarpitted port, ie.
non-opened or non-closed).

I could implement "--scan_tarpits" though...

>   If it just printed a note in verbose mode about potentially
>   tarpitted hosts, that might be better.

OK, in my TODO list.

Martin Mačok
ICT Security Consultant

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org