Re: BUG: nping overflow

[David Fifield <david () bamsoftware com>]

On Mon, Apr 19, 2010 at 11:36:28PM +0200, miniBill wrote:
> Version: 0.5.30BETA1 [compiled]
> OS:Ubuntu Lucid Lynx [with a personalized set of packets installed]
>
> How to reproduce:
> =============
> ./nping --udp -p 53 felix.nmap.org
> --wait a few seconds--
> sudo ./nping --udp -p 53 felix.nmap.org
>
> What happens:
> ===========
> The first nping signals a 100% loss [apparently being unprivileged
> means I get no packets].
> The second run gets the packets of the first run [just guessing] and
> goes overflow

Here's what your logs show:

$ ./nping --udp -p 53 felix.nmap.org

Starting Nping 0.5.30BETA1 ( http://nmap.org/nping ) at 2010-04-19 23:12 CEST
SENT (0.0000s) UDP packet with 4 bytes to felix.nmap.org:53 (64.13.134.48:53)
SENT (1.0010s) UDP packet with 4 bytes to felix.nmap.org:53 (64.13.134.48:53)
SENT (2.0020s) UDP packet with 4 bytes to felix.nmap.org:53 (64.13.134.48:53)
SENT (3.0030s) UDP packet with 4 bytes to felix.nmap.org:53 (64.13.134.48:53)
SENT (4.0040s) UDP packet with 4 bytes to felix.nmap.org:53 (64.13.134.48:53)

$ sudo ./nping --udp -p 53 felix.nmap.org

Starting Nping 0.5.30BETA1 ( http://nmap.org/nping ) at 2010-04-19 23:13 CEST
SENT (0.0080s) UDP 192.168.1.4:53 > 64.13.134.48:53 ttl=64 id=52878 iplen=28
RCVD (0.0080s) UDP 192.168.1.4:53 > 64.13.134.48:53 ttl=64 id=52878 iplen=28
RCVD (0.7630s) UDP 192.168.1.4:48180 > 216.239.36.10:53 ttl=64 id=37617 iplen=80
RCVD (0.8120s) UDP 192.168.1.4:54660 > 216.239.36.10:53 ttl=64 id=37618 iplen=80
RCVD (0.8640s) UDP 192.168.1.4:29937 > 216.239.32.10:53 ttl=64 id=1187 iplen=80
SENT (1.0070s) UDP 192.168.1.4:53 > 64.13.134.48:53 ttl=64 id=3127 iplen=28
RCVD (1.0070s) UDP 192.168.1.4:22781 > 216.239.34.10:53 ttl=64 id=10654 iplen=80
RCVD (1.0070s) UDP 192.168.1.4:17586 > 216.239.38.10:53 ttl=64 id=6261 iplen=80
SENT (2.0080s) UDP 192.168.1.4:53 > 64.13.134.48:53 ttl=64 id=59537 iplen=28
RCVD (2.0080s) UDP 192.168.1.4:53 > 64.13.134.48:53 ttl=64 id=3127 iplen=28
RCVD (2.0080s) UDP 192.168.1.4:48831 > 199.7.83.42:53 ttl=64 id=39759 iplen=71

I don't think anything is overflowing, nor is the second scan getting
replies from the first. There are no replies, which is typical for UDP
ping. Instead, it looks like Nping is not applying a restrictive enough
packet filter, so it is printing UDP packets with destination port 53,
regardless of source. The RCVD line here is picking up the same packet
as in the SENT line, the one you sent:

SENT (0.0080s) UDP 192.168.1.4:53 > 64.13.134.48:53 ttl=64 id=52878 iplen=28 
RCVD (0.0080s) UDP 192.168.1.4:53 > 64.13.134.48:53 ttl=64 id=52878 iplen=28 

The other RCVDs look like your machine making normal domain name queries
to different servers.

RCVD (0.7630s) UDP 192.168.1.4:48180 > 216.239.36.10:53 ttl=64 id=37617 iplen=80
RCVD (0.8120s) UDP 192.168.1.4:54660 > 216.239.36.10:53 ttl=64 id=37618 iplen=80
RCVD (0.8640s) UDP 192.168.1.4:29937 > 216.239.32.10:53 ttl=64 id=1187 iplen=80 
RCVD (1.0070s) UDP 192.168.1.4:22781 > 216.239.34.10:53 ttl=64 id=10654 iplen=80
RCVD (1.0070s) UDP 192.168.1.4:17586 > 216.239.38.10:53 ttl=64 id=6261 iplen=80 
RCVD (2.0080s) UDP 192.168.1.4:48831 > 199.7.83.42:53 ttl=64 id=39759 iplen=71 

Those IP addresses are
ns3.google.com (216.239.36.10)
ns1.google.com (216.239.32.10)
ns2.google.com (216.239.34.10)
ns4.google.com (216.239.38.10)
l.root-servers.net (199.7.83.42)

So Luis, I think you want to check out the filter code.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/