Unnecessary TCP retries ?

["Gerard Fowley" <email1 () fowley org>]

I'm performing a full TCP portscan of a host with this nmap commandline...

nmap -P0 -sT -n -r -p 1-65535 --max_rtt_timeout 500 -oN tcp.nmap -oX
nmap.xml x.x.x.x

Running nmap v3.81
compiled with:
CFLAGS="-O2 -march=i686 -fomit-frame-pointer"
on:
Linux remus 2.6.10-gentoo-r6 #1 Tue Feb 8 18:55:11 EST 2005 i686 Pentium
II (Klamath) GenuineIntel GNU/Linu

The source host is directly internet connected and not firewalled.
The destination hosts I scan are usually firewalled, since there will be
no response for most TCP ports I keep the max_rtt_timeout low to prevent
these scans running for days.

The problem is that I am seeing repeated probes for ports that have
already been determined to be open or closed. Here are tcpdump outputs
taken from the source host...

In this case tcp/25 is open and repeatedly probed at 12:44:18 and
12:44:29. This happens every ~11 seconds over the day this has been
running, at this stage the non-responsive port probe rate is down to ~1
second...

12:44:10.358661 IP x.x.x.x.60299 > y.y.y.y.43337: S
3203345960:3203345960(0) win 5840 <mss 1460,sackOK,timestamp
2115748693[|tcp]>
12:44:11.364530 IP x.x.x.x.60302 > y.y.y.y.43338: S
3203014970:3203014970(0) win 5840 <mss 1460,sackOK,timestamp
2115749699[|tcp]>
12:44:12.370342 IP x.x.x.x.60305 > y.y.y.y.43338: S
3202262006:3202262006(0) win 5840 <mss 1460,sackOK,timestamp
2115750705[|tcp]>
12:44:13.376217 IP x.x.x.x.60308 > y.y.y.y.43339: S
3208718364:3208718364(0) win 5840 <mss 1460,sackOK,timestamp
2115751711[|tcp]>
12:44:14.382034 IP x.x.x.x.60311 > y.y.y.y.43339: S
3205131043:3205131043(0) win 5840 <mss 1460,sackOK,timestamp
2115752717[|tcp]>
12:44:15.387981 IP x.x.x.x.60314 > y.y.y.y.43340: S
3205325561:3205325561(0) win 5840 <mss 1460,sackOK,timestamp
2115753723[|tcp]>
12:44:16.393738 IP x.x.x.x.60317 > y.y.y.y.43340: S
3217020489:3217020489(0) win 5840 <mss 1460,sackOK,timestamp
2115754729[|tcp]>
12:44:17.399601 IP x.x.x.x.60320 > y.y.y.y.43341: S
3211011356:3211011356(0) win 5840 <mss 1460,sackOK,timestamp
2115755735[|tcp]>
12:44:18.405426 IP x.x.x.x.60323 > y.y.y.y.25: S 3210406133:3210406133(0)
win 5840 <mss 1460,sackOK,timestamp 2115756741[|tcp]>
12:44:18.694319 IP y.y.y.y.25 > x.x.x.x.60323: S 1069976085:1069976085(0)
ack 3210406134 win 16384 <mss 1380,nop,wscale 0,nop,nop,timestamp[|tcp]>
12:44:18.694388 IP x.x.x.x.60323 > y.y.y.y.25: . ack 1 win 1460
<nop,nop,timestamp 2115757030 0>
12:44:18.694772 IP x.x.x.x.60323 > y.y.y.y.25: R 1:1(0) ack 1 win 1460
<nop,nop,timestamp 2115757030 0>
12:44:19.413187 IP x.x.x.x.60326 > y.y.y.y.43341: S
3217228414:3217228414(0) win 5840 <mss 1460,sackOK,timestamp
2115757749[|tcp]>
12:44:20.419145 IP x.x.x.x.60329 > y.y.y.y.43342: S
3215165054:3215165054(0) win 5840 <mss 1460,sackOK,timestamp
2115758755[|tcp]>
12:44:21.424965 IP x.x.x.x.60332 > y.y.y.y.43342: S
3221320100:3221320100(0) win 5840 <mss 1460,sackOK,timestamp
2115759761[|tcp]>
12:44:22.430840 IP x.x.x.x.60335 > y.y.y.y.43343: S
3219181073:3219181073(0) win 5840 <mss 1460,sackOK,timestamp
2115760767[|tcp]>
12:44:23.436660 IP x.x.x.x.60338 > y.y.y.y.43343: S
3217946272:3217946272(0) win 5840 <mss 1460,sackOK,timestamp
2115761773[|tcp]>
12:44:24.442538 IP x.x.x.x.60341 > y.y.y.y.43344: S
3225790922:3225790922(0) win 5840 <mss 1460,sackOK,timestamp
2115762779[|tcp]>
12:44:25.448355 IP x.x.x.x.60344 > y.y.y.y.43344: S
3211861700:3211861700(0) win 5840 <mss 1460,sackOK,timestamp
2115763785[|tcp]>
12:44:26.454331 IP x.x.x.x.60347 > y.y.y.y.43345: S
3220787260:3220787260(0) win 5840 <mss 1460,sackOK,timestamp
2115764791[|tcp]>
12:44:27.460042 IP x.x.x.x.60350 > y.y.y.y.43345: S
3218755505:3218755505(0) win 5840 <mss 1460,sackOK,timestamp
2115765797[|tcp]>
12:44:28.465919 IP x.x.x.x.60353 > y.y.y.y.43346: S
3218898526:3218898526(0) win 5840 <mss 1460,sackOK,timestamp
2115766803[|tcp]>
12:44:29.471736 IP x.x.x.x.60356 > y.y.y.y.25: S 3218750611:3218750611(0)
win 5840 <mss 1460,sackOK,timestamp 2115767809[|tcp]>
12:44:29.644945 IP y.y.y.y.25 > x.x.x.x.60356: S 1263458022:1263458022(0)
ack 3218750612 win 16384 <mss 1380,nop,wscale 0,nop,nop,timestamp[|tcp]>
12:44:29.645013 IP x.x.x.x.60356 > y.y.y.y.25: . ack 1 win 1460
<nop,nop,timestamp 2115767982 0>
12:44:29.645372 IP x.x.x.x.60356 > y.y.y.y.25: R 1:1(0) ack 1 win 1460
<nop,nop,timestamp 2115767983 0>
12:44:30.479501 IP x.x.x.x.60359 > y.y.y.y.43346: S
3217192571:3217192571(0) win 5840 <mss 1460,sackOK,timestamp
2115768817[|tcp]>
12:44:31.485457 IP x.x.x.x.60362 > y.y.y.y.43347: S
3218992728:3218992728(0) win 5840 <mss 1460,sackOK,timestamp
2115769823[|tcp]>
12:44:32.491285 IP x.x.x.x.60365 > y.y.y.y.43347: S
3230690754:3230690754(0) win 5840 <mss 1460,sackOK,timestamp
2115770829[|tcp]>
12:44:33.497152 IP x.x.x.x.60368 > y.y.y.y.43348: S
3229615073:3229615073(0) win 5840 <mss 1460,sackOK,timestamp
2115771835[|tcp]>
12:44:34.502972 IP x.x.x.x.60371 > y.y.y.y.43348: S
3234765300:3234765300(0) win 5840 <mss 1460,sackOK,timestamp
2115772841[|tcp]>


In this case tcp/1719 is closed and repeatedly probed at 12:48:43 and
12:48:54. This also happens every ~11 seconds over the day this has been
running, at this stage the non-responsive port probe rate is also down to
~1 second...

12:48:40.888526 IP x.x.x.x.32878 > y.y.y.y.21216: S
3494495795:3494495795(0) win 5840 <mss 1460,sackOK,timestamp
2116019264[|tcp]>
12:48:41.891175 IP x.x.x.x.32881 > y.y.y.y.21216: S
3483996731:3483996731(0) win 5840 <mss 1460,sackOK,timestamp
2116020267[|tcp]>
12:48:42.894052 IP x.x.x.x.32884 > y.y.y.y.1719: S
3496946793:3496946793(0) win 5840 <mss 1460,sackOK,timestamp
2116021270[|tcp]>
12:48:43.222786 IP y.y.y.y.1719 > x.x.x.x.32884: R 61123369:61123369(0)
ack 3496946794 win 0
12:48:43.897792 IP x.x.x.x.32887 > y.y.y.y.21216: S
3490382770:3490382770(0) win 5840 <mss 1460,sackOK,timestamp
2116022274[|tcp]>
12:48:44.900735 IP x.x.x.x.32890 > y.y.y.y.21216: S
3488997943:3488997943(0) win 5840 <mss 1460,sackOK,timestamp
2116023277[|tcp]>
12:48:45.903593 IP x.x.x.x.32893 > y.y.y.y.21217: S
3489136562:3489136562(0) win 5840 <mss 1460,sackOK,timestamp
2116024280[|tcp]>
12:48:46.906427 IP x.x.x.x.32896 > y.y.y.y.21217: S
3497672878:3497672878(0) win 5840 <mss 1460,sackOK,timestamp
2116025283[|tcp]>
12:48:47.911270 IP x.x.x.x.32899 > y.y.y.y.21217: S
3493459357:3493459357(0) win 5840 <mss 1460,sackOK,timestamp
2116026288[|tcp]>
12:48:48.916973 IP x.x.x.x.32902 > y.y.y.y.21217: S
3492839477:3492839477(0) win 5840 <mss 1460,sackOK,timestamp
2116027294[|tcp]>
12:48:49.920066 IP x.x.x.x.32904 > y.y.y.y.21218: S
3508158083:3508158083(0) win 5840 <mss 1460,sackOK,timestamp
2116028297[|tcp]>
12:48:50.922860 IP x.x.x.x.32907 > y.y.y.y.21218: S
3495575978:3495575978(0) win 5840 <mss 1460,sackOK,timestamp
2116029300[|tcp]>
12:48:51.925735 IP x.x.x.x.32910 > y.y.y.y.21218: S
3507085014:3507085014(0) win 5840 <mss 1460,sackOK,timestamp
2116030303[|tcp]>
12:48:52.928712 IP x.x.x.x.32913 > y.y.y.y.21218: S
3498423384:3498423384(0) win 5840 <mss 1460,sackOK,timestamp
2116031306[|tcp]>
12:48:53.931418 IP x.x.x.x.32916 > y.y.y.y.1719: S
3506326727:3506326727(0) win 5840 <mss 1460,sackOK,timestamp
2116032309[|tcp]>
12:48:54.054498 IP y.y.y.y.1719 > x.x.x.x.32916: R 722748090:722748090(0)
ack 3506326728 win 0
12:48:54.936161 IP x.x.x.x.32919 > y.y.y.y.21219: S
3497773516:3497773516(0) win 5840 <mss 1460,sackOK,timestamp
2116033314[|tcp]>
12:48:55.939157 IP x.x.x.x.32922 > y.y.y.y.21219: S
3508645136:3508645136(0) win 5840 <mss 1460,sackOK,timestamp
2116034317[|tcp]>
12:48:56.942063 IP x.x.x.x.32925 > y.y.y.y.21219: S
3510028888:3510028888(0) win 5840 <mss 1460,sackOK,timestamp
2116035320[|tcp]>
12:48:57.944945 IP x.x.x.x.32928 > y.y.y.y.21219: S
3506238610:3506238610(0) win 5840 <mss 1460,sackOK,timestamp
2116036323[|tcp]>
12:48:58.947667 IP x.x.x.x.32931 > y.y.y.y.21220: S
3512243466:3512243466(0) win 5840 <mss 1460,sackOK,timestamp
2116037326[|tcp]>
12:48:59.950577 IP x.x.x.x.32934 > y.y.y.y.21220: S
3516009468:3516009468(0) win 5840 <mss 1460,sackOK,timestamp
2116038329[|tcp]>
12:49:00.953344 IP x.x.x.x.32937 > y.y.y.y.21220: S
3512932794:3512932794(0) win 5840 <mss 1460,sackOK,timestamp
2116039332[|tcp]>

Any ideas ?

Gerard Fowley



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev