Re: PortBunny - FX and Fabs at 24C3

[doug () hcsw org]

On Sun, Jan 13, 2008 at 11:30:50AM +0000 or thereabouts, Brandon Enright wrote:
> > o Fabs declares that "the kernel is a good place for a port scanner",
> >   and indeed PortBunny is a Linux-only kernel module.  They suggest
> >   that you use a dedicated box and not run other Internet applications
> >   such as web browsers at the same time.
>
> This is a terrible idea.  I think they did it in the kernel because
> they wanted to and went looking for excuses why it was a good idea
> later.  If speed is all you're looking for, the Unicornscan guys sure
> seem to be doing well with their user-land distribute TCP/IP stack.
> There is absolutely no good reason to stuff a portscanner in the kernel.

I agree, I think this is an astoundingly bad design decision. Not
only is it linux kernel X.Y.Z specific, but also likely to bring
down your entire system in the event of a bug. I read through the
slides because I was curious why they felt a kernel module was
warranted but found no good explanation. They say that running
in the kernel means that "Timing is as precise as it can get".
I would be interested in the specifics of this (if there are any).
On most systems (except windows and amigaOS), Nmap gets its packet
arrival times from pcap which should mean it was measured in kernel
anyways.

I will be sticking with Nmap for the foreseeable future. :)

Doug

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org