Increasing UDP Scanning with virtual hosts

[sham0day sham0day <sham0day () gmail com>]

The following strategy was initially intended to increase the speed of UDP
scanning, but it could also be used to increase the speed of any host that
is rate limited.

During a UDP scan if we receive an “ICMP port unreachable” message then we
know the port is probably closed. Unfortunately many targets rate-limit the
the number of ICMP port unreachable messages to 1 a second (ex Linux hosts).
Nmap will throttle its scan to compensate for this. RFC 1812 section 4.3.2.8
states that ICMP rate limits can occur in 3 ways – count based, timer based,
and bandwidth based. The first two rate limits appear to target specific
source hosts.

In order to get around this, it seems possible to speed the UDP scan by
changing the source host. So if multiple sources were scanning a target, it
can avoid this ICMP port unreachable rate limit because each individual
source would get rate-limited (1 per second on linux), but not all sources
combined. This would work unless the rate limit was bandwidth-based.

So to avoid these rate limits, Nmap could utilize virtual host adapters so
it could scan targets from “multiple sources” simultaneously. This would
greatly increase the speed of a UDP scan and could also increase the speed
of any scan that is getting rate limited. Creating virtual host adapters
(with their own IP and MAC) to avoid rate limits could be a great feature in
new versions of Nmap.

Thoughts?
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/