Nmap Development mailing list archives

Effectiveness of SCTP INIT ping

From: David Fifield <david () bamsoftware com>
Date: Sun, 24 May 2009 20:57:55 -0600

On Fri, May 22, 2009 at 02:05:27PM +0200, Daniel Roethlisberger wrote:

It's time to expose the SCTP features to some more testing.  If
all goes well, we might even get it into trunk in time for the
upcoming stable release.


I've recently been testing the effectiveness of the various ping probes
in an attempt to make Nmap's default host discovery better. Here are the
results so far.

http://www.bamsoftware.com/wiki/Nmap/EffectivenessOfPingProbes

I tested the new -PY probe using the scripts that I have been using. The
results are at the end of this message. -PY is a decent ping probe,
reaching 21% of hosts that respond to any kind of ping. For comparison,
-PE is far and away the best single probe with 57%, and -PS443 is next
best with 39%. -PY is better than a lot of probes including -PS445
(20%), -PU123 (19%), and -PM (3%).

I haven't run an analysis to measure its effectiveness when combined
with other probes, but I'm curious because it's so different.

David Fifield

(Ignore the -PA results; they are an anomaly because this particular
connection does ACK filtering.)

Maximum possible using all 80 probes: 2454.
-PE                   1388 56.56%
-PO1                  1379 56.19%
-PS443                964 39.28%
-PS80                 938 38.22%
-PS110                890 36.27%
-PS21                 880 35.86%
-PS22                 859 35.00%
-PS25                 840 34.23%
-PS3389               814 33.17%
-PS40126              773 31.50%
-PS23                 773 31.50%
-PS40125              769 31.34%
-PP                   760 30.97%
-PU40125-sp53-dl24    687 28.00%
-PU40126-sp53-dl24    679 27.67%
-PU31338-sp53-dl24    666 27.14%
-PU123-payload-sp53   655 26.69%
-PU631-sp53-dl24      644 26.24%
-PU40125-sp53         634 25.84%
-PU40126-sp53         630 25.67%
-PU31338-sp53         619 25.22%
-PU123-payload        617 25.14%
-PU53-payload-sp53    616 25.10%
-PU40125-dl24         605 24.65%
-PU40126-dl24         602 24.53%
-PU53-payload         601 24.49%
-PU631-dl24           595 24.25%
-PU631-sp53           594 24.21%
-PU1434-payload-sp53  581 23.68%
-PU40125              575 23.43%
-PU31338-dl24         573 23.35%
-PU40126              568 23.15%
-PU31338              548 22.33%
-PO17                 547 22.29%
-PU500-payload-sp53   545 22.21%
-PU631                545 22.21%
-PU500-payload        521 21.23%
-PU1434-payload       519 21.15%
-PY                   506 20.62%
-PU123-sp53-dl24      489 19.93%
-PS445                486 19.80%
-PU161-payload-sp53   483 19.68%
-PS139                476 19.40%
-PU123-dl24           468 19.07%
-PU123-sp53           444 18.09%
-PU161-payload        433 17.64%
-PU123                417 16.99%
-PU161-sp53           409 16.67%
-PU135-payload-sp53   407 16.59%
-PU138-sp53-dl24      406 16.54%
-PU137-payload-sp53   404 16.46%
-PU161-sp53-dl24      401 16.34%
-PU137-sp53-dl24      398 16.22%
-PU138-dl24           386 15.73%
-PU135-payload        385 15.69%
-PU137-payload        368 15.00%
-PU137-dl24           357 14.55%
-PU138-sp53           354 14.43%
-PU161-dl24           353 14.38%
-PU161                348 14.18%
-PU137-sp53           344 14.02%
-PU138                325 13.24%
-PU137                317 12.92%
-PO2                  205 8.35%
-PM                   79 3.22%
-PA3389               0 0.00%
-PO150                0 0.00%
-PA443                0 0.00%
-PA110                0 0.00%
-PA445                0 0.00%
-PA139                0 0.00%
-PA25                 0 0.00%
-PA23                 0 0.00%
-PA22                 0 0.00%
-PA21                 0 0.00%
-PA80                 0 0.00%
-PO6                  0 0.00%
-PO4                  0 0.00%
-PA40126              0 0.00%
-PA40125              0 0.00%

Here is the frequency of reasons reported for the 506 -PY responses:
    384 proto-unreach
     68 abort
     40 admin-prohibited
      8 port-unreach
      4 host-unreach
      2 host-prohibited

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Getting SCTP support ready for merging Daniel Roethlisberger (May 22)
- Re: Getting SCTP support ready for merging Gisle Vanem (May 22)
  - Re: Getting SCTP support ready for merging Daniel Roethlisberger (May 22)
    - Re: Getting SCTP support ready for merging Gisle Vanem (May 22)
- Effectiveness of SCTP INIT ping David Fifield (May 24)
- Re: Getting SCTP support ready for merging David Fifield (May 25)
  - Re: Getting SCTP support ready for merging Daniel Roethlisberger (May 25)
    - Re: Getting SCTP support ready for merging Fyodor (Jun 02)
    - Re: Getting SCTP support ready for merging Daniel Roethlisberger (Jun 03)