Nmap Development mailing list archives

Re: Extremely long scan times... (Martin's defeat_ratelimits patch)

From: Fyodor <fyodor () insecure org>
Date: Mon, 15 May 2006 15:45:48 -0700

On Sun, May 14, 2006 at 10:46:12AM +0200, Martin Mačok wrote:

  Maybe we can make it the default behavior later.  This
  change just takes an extra 'o.timing_level > 3' conditional.


OK with me, implemented.


Looks great!  I have added it for the next version of Nmap (due out
this week).  The only thing I changed (besides documenting
--defeat-rst-ratelimit) is to remove the PORT_CLOSEDFILTERED stat
which used instead of closed and filtered when --defeat-rst-ratelimit
was specified.  If a RST was received, we know it is closed so we
don't need to do CLOSEDFILTERED.  Especially now with the new change
to Nmap to better handle multiple ignored states.  When there is no
response, I can see the argument for using CLOSEDFILTERED instead of
FILTERED.  Maybe that would be worth doing if heuristics were used to
detect that rate limiting is in effect for the given host, but it
seems rather broad to always replace CLOSED with CLOSEDFILTERED for
nonresponsive ports when --defeat-rst-ratelimit is specified.  So what
I did instead was add a note to the documentation that this option may
cause closed ports to appear filtered when RST rate limiting is in
effect.  Here is the CHANGELOG:

o Nmap now ignores certain ICMP error message rate limiting (rather
  than slowing down to accomidate it) in cases such as SYN scan where
  an ICMP message and no response mean the same thing (port filtered).
  This is currently only done at timing level Aggressive (-T4) or
  higher, though we may make it the default if we don't hear problems
  with it.  In addition, the --defeat-rst-ratelimit option has been
  added, which causes Nmap not to slow down to accomidate RST rate
  limits when encountered.  For a SYN scan, this may cause closed
  ports to be labeled 'filtered' becuase Nmap refused to slow down
  enough to correspond to the rate limiting.  Learn more about this
  new option at http://www.insecure.org/nmap/man/ .  Thanks to Martin
  Macok (martin.macok(a)underground.cz) for writing the patch that
  these changes were based on.

Thanks again!
-Fyodor


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev

Current thread:

Re: Extremely long scan times... (Martin's defeat_ratelimits patch) Fyodor (Apr 20)
- Re: Extremely long scan times... (Martin's defeat_ratelimits patch) Martin Mačok (Apr 21)
- Re: Extremely long scan times... (Martin's defeat_ratelimits patch) Martin Mačok (May 14)
  - Re: Extremely long scan times... (Martin's defeat_ratelimits patch) Fyodor (May 15)
- <Possible follow-ups>
- RE: Extremely long scan times... (Martin's defeat_ratelimits patch) Jones, David H (Apr 21)