Penetration Testing mailing list archives
RE: Discovery Scanning Issues
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Sun, 8 Jan 2006 09:08:57 +1100
My experience is: Many DSL modems run a embedded linux OS that performs the routing, NATing firewalling etc. Generally, iptables are used, with the ip_conntrack modules used for NATing. Due to memory constraints, many DSL devices only have a limited ip_conntrack pool size by default, somewhere between 512 and 1024 connections, afaik. Also many DSL modems use a long timeout for established contrack routes, often 2-5 days. These factors combine to affect many things, such as bittorrents and some other P2P traffic as well, not just nmap. Googling on DSl ip_conntrack, and bit torrents is usually a good pointer ideas, issues for your modem make/model. I've found 2 workarounds that complement each other: Use the -T Polite setting in nmap. This slows down the number of new routes/sec (source IP:port, dest IP:port) created by nmap, and allows some ip_conntracks to expire and thus be reused Access the modem's command line e.g. via telnet, and tune the ip_conntrack settings e.g E.g on a D-Link 604T, these commands raise the ip_conntrack limit to 2048, and reduces various timeouts significantly from the default firmware settings. Depending on the amout of free RAM, you may be limited to 1024, or more than 2048 - experiment and see if the modem still works, if not, reboot/power cycle, and try different settings. Your milaeage may vary significantly. echo 2048 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max echo 50 > /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout echo 5 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait echo 1200 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait echo 10 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time echo 180 > /proc/sys/net/ipv4/tcp_keepalive_intvl Of course, some DSL modems allow you to upload a custom firmware on Linux OS distro, which would then allow you to tune the default parameters for your purposes. I've not done this due to the time and learning curve involved, but reportedly, some have had success with building and installing their own firmware. On other option, that often more disruption to your internal network, is to use a 'dumber' USB-based DSL modem, and have your test box mangage all the DSL network connectivity, ip_conntrack pools etc. This works, as long as your test box is running a good firewall itself against external attacks. The test box then becomes 'misison critical' in terms of your internet access for other machies on the internal network. Lyal -----Original Message----- From: kataka () hush com [mailto:kataka () hush com] Sent: Sunday, 8 January 2006 2:48 AM To: pen-test () securityfocus com Subject: DSL: Discovery Scanning Issues DSL was finally brought to where I live, and I have started experimenting with discovery scans using Nmap. The problem is, if I try and scan for more than 1024 ports on a single host, my cheep-o Zoom DSL router/modem/switch/thingy starts to flake out, in the sense I can't ping my DSL router any more and I loose connectivity to the Internet until I reset the router. I believe this is because Nmap is filling up my router's NAT pool or something. I've looked at the config of the router and it's only got a 1024 connection NAPT port limit that cannot be adjusted and timeouts measured in seconds as opposed to ms. What should I do? Are other people with low-end DSL routers able to overcome this problem? Should I look at getting a better router, if so, what kind? Or, is it best to not scan through NAT and assign my Internet Routable IP to my scanning box directly? If so, how would this work under DSL, would I need to buy some kind of an Ethernet to RJ-11 adapter card, configure routing, install PPP encapsulation software on the box itself? Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ---------------------------------------------------------------------------- -- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- DSL: Discovery Scanning Issues kataka (Jan 07)
- Re: Discovery Scanning Issues Carlos A. Morillo (Jan 07)
- Re: DSL: Discovery Scanning Issues gat0r (Jan 07)
- Re: DSL: Discovery Scanning Issues Lynx (Jan 07)
- RE: Discovery Scanning Issues Lyal Collins (Jan 07)
- RE: Discovery Scanning Issues Lyal Collins (Jan 07)