Nmap Development mailing list archives

Re: Weird Crash - "WAITING_TO_RUNNING"

From: Rob Nicholls <robert () robnicholls co uk>
Date: Mon, 08 Nov 2010 22:33:49 +0000

On Mon, 8 Nov 2010 14:40:07 -0700, Nathan <nathan.stocks () gmail com>wrote:

We believe that many of the connections we are scanning are satellite
Internet connections (some of our clients are retail stores or
restaurants, and they tend to have exotic ways to connect to the
Internet).  I speculate that perhaps the inbound routers for these
high-latency connections tend to proxy stuff...which may or may not
have anything to do with anything.  But I though I'd throw it out
there.

Is it possible that a Performance Enhancing Proxy is sending back theSYN/ACK you're seeing if the satellite connection gets busy (which mightbe why scanning the top 100 ports works in many cases, as it might bebelow the threshold required for the proxy to kick in)? I get theimpression that such a proxy will always return a SYN/ACK even though ithas no idea what the state is of the port at the other end (it probablyhopes/assumes that most requests are legitimate ones from authorisedhosts for known open ports?), which is why Nmap sees the SYN/ACK andassumes that the port is open - because the PEP claims that it is. It'spossible that the PEP eventually returns a RST from the end device forclosed ports, but Nmap would discount that packet as it's alreadyperform the SYN scan. Even a full three way handshake wouldn't fix thescan results. Your best bet for accurate results is probably to slowdown the scan to prevent the PEP from kicking in (if it's always presentthen you'll never get around it and always get false positives; Nmapcould possibly check for RST packets afterwards, but filtered portswould probably still look open). Do you get accurate results with a muchlarger scan delay? I appreciate it'd take a day or so to scan, but canyou try a scan delay of 1 second rather than 1ms? I presume you'd knowprety quickly (e.g half way) if it was identifying loads of open portslike before.


Rob

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: Weird Crash - "WAITING_TO_RUNNING", (continued)
- - - Re: Weird Crash - "WAITING_TO_RUNNING" David Fifield (Nov 02)
    - Re: Weird Crash - "WAITING_TO_RUNNING" Nathan (Nov 03)
    - Re: Weird Crash - "WAITING_TO_RUNNING" Patrick Donnelly (Nov 03)
    - Re: Weird Crash - "WAITING_TO_RUNNING" Nathan (Nov 03)
    - Re: Weird Crash - "WAITING_TO_RUNNING" Nathan (Nov 03)
    - Re: Weird Crash - "WAITING_TO_RUNNING" David Fifield (Nov 03)
    - Re: Weird Crash - "WAITING_TO_RUNNING" David Fifield (Nov 03)
    - Re: Weird Crash - "WAITING_TO_RUNNING" Patrick Donnelly (Nov 03)
    - Re: Weird Crash - "WAITING_TO_RUNNING" Nathan (Nov 08)
    - Re: Weird Crash - "WAITING_TO_RUNNING" Nathan (Nov 08)
    - Re: Weird Crash - "WAITING_TO_RUNNING" Rob Nicholls (Nov 08)
    - Re: Weird Crash - "WAITING_TO_RUNNING" David Fifield (Nov 05)
    - Re: Weird Crash - "WAITING_TO_RUNNING" Nathan (Nov 08)
    - Re: Weird Crash - "WAITING_TO_RUNNING" Nathan (Nov 08)
    - Re: Weird Crash - "WAITING_TO_RUNNING" Patrick Donnelly (Nov 08)
    - Re: Weird Crash - "WAITING_TO_RUNNING" Nathan (Nov 08)
    - Re: Weird Crash - "WAITING_TO_RUNNING" David Fifield (Nov 09)
    - Re: Weird Crash - "WAITING_TO_RUNNING" David Fifield (Nov 12)
    - Re: Weird Crash - "WAITING_TO_RUNNING" Nathan (Nov 15)
    - Message not available
    - Fwd: Re: Weird Crash - "WAITING_TO_RUNNING" (Action Required) Nathan (Nov 15)
    - Re: Weird Crash - "WAITING_TO_RUNNING" Nathan (Nov 15)

(Thread continues...)