Re: Host timeouts on large SYN scans

[David Fifield <david () bamsoftware com>]

On Fri, Sep 21, 2012 at 01:03:59PM +0200, pierre.lalet () cea fr wrote:
> I run scans on a LAN / fast WAN with "-iL -" and an external script
> feeds the targets in a random order when select() says nmap's stdin
> is ready.
>
> "--host-timeout" is set to "15m" or "60m"
>
> After running a Ping scan against 4096 targets, nmap runs a
> succession of (SYN, Service, Traceroute, NSE) scans against
> "hostgroups".
>
> The first hostgroup has 4 hosts, and all the next ones have 64 (or
> whatever specified with --max-hostgroup). At first everything works
> pretty
> fine, but after a few hostgroups (5 to 10), all the "SYN Stealth
> Scan" task end with "XX hosts timed out" (with XX the size of the
> hostgroup).

When does this happen? Is it 15m after the start of the entire scan, or
15m after the start of the hostgroup? Or something else?

Sometimes SYN scans can go slowly enough that they reach a host timeout.
You can try the option --defeat-rst-ratelimit as RST rate limiting is
the msot likely thing to severely slow down a SYN scan. It's strange
that it happens to the whole group at once, though. It might be a bug
with stopping and restarting the timeout timers.

Can you show us the rest of the command line you are using?

Does this same thing happen if you write 4096 IP addresses in random
order to a file, and then read -iL from that file?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/