Nmap Development mailing list archives
Re: Extremely long scan times... (Martin's defeat_ratelimits patch)
From: Fyodor <fyodor () insecure org>
Date: Mon, 15 May 2006 15:45:48 -0700
On Sun, May 14, 2006 at 10:46:12AM +0200, Martin Mačok wrote:
Maybe we can make it the default behavior later. This change just takes an extra 'o.timing_level > 3' conditional.OK with me, implemented.
Looks great! I have added it for the next version of Nmap (due out this week). The only thing I changed (besides documenting --defeat-rst-ratelimit) is to remove the PORT_CLOSEDFILTERED stat which used instead of closed and filtered when --defeat-rst-ratelimit was specified. If a RST was received, we know it is closed so we don't need to do CLOSEDFILTERED. Especially now with the new change to Nmap to better handle multiple ignored states. When there is no response, I can see the argument for using CLOSEDFILTERED instead of FILTERED. Maybe that would be worth doing if heuristics were used to detect that rate limiting is in effect for the given host, but it seems rather broad to always replace CLOSED with CLOSEDFILTERED for nonresponsive ports when --defeat-rst-ratelimit is specified. So what I did instead was add a note to the documentation that this option may cause closed ports to appear filtered when RST rate limiting is in effect. Here is the CHANGELOG: o Nmap now ignores certain ICMP error message rate limiting (rather than slowing down to accomidate it) in cases such as SYN scan where an ICMP message and no response mean the same thing (port filtered). This is currently only done at timing level Aggressive (-T4) or higher, though we may make it the default if we don't hear problems with it. In addition, the --defeat-rst-ratelimit option has been added, which causes Nmap not to slow down to accomidate RST rate limits when encountered. For a SYN scan, this may cause closed ports to be labeled 'filtered' becuase Nmap refused to slow down enough to correspond to the rate limiting. Learn more about this new option at http://www.insecure.org/nmap/man/ . Thanks to Martin Macok (martin.macok(a)underground.cz) for writing the patch that these changes were based on. Thanks again! -Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Re: Extremely long scan times... (Martin's defeat_ratelimits patch) Fyodor (Apr 20)
- Re: Extremely long scan times... (Martin's defeat_ratelimits patch) Martin Mačok (Apr 21)
- Re: Extremely long scan times... (Martin's defeat_ratelimits patch) Martin Mačok (May 14)
- Re: Extremely long scan times... (Martin's defeat_ratelimits patch) Fyodor (May 15)
- <Possible follow-ups>
- RE: Extremely long scan times... (Martin's defeat_ratelimits patch) Jones, David H (Apr 21)