Re: DOS on inetd w/ nmap

[dufresne () WINTERNET COM (Ron DuFresne)]

I'm looking now and finding the most current beta is Nmap 2.30BETA21 ,
newer even then the 2.3BETA5 over here played with most recently.  This
version on our end reports none of the newer -T flaggettes either.

Thanks,

Ron DuFresne

On Tue, 25 Apr 2000, Clifford, Shawn A wrote:

> I have nmap version 2.12 (the latest stable version), and 'nmap -h' doesn't
> show me those options for -T.  To be fair, I didn't read through the man
> page for nmap in any detail before launching my scans.
>
> I did try variations of -sT, -sS, -sN, -P0, etc., along with -p 1- to scan
> all ports.
>
> I can try again against a test SGI with some of the options you mention, but
> it sounds like I will need to  get a beta version of nmap.
>
> Also, will this make connections without sending data, or simply slow the
> rate of connections?
>
> For that matter, if I slow the connection rate down so that it doesn't crash
> inetd, then I might as well use netcat.
>
> There are 2 components, as I see it, that crash SGIs:
>       1)  Too many connections to inetd in a short amount of time
>       2)  Sending too much data to a service being "scanned".  NetCat has
> -z option, which is for "zero-I/O mode [used for scanning]"
>
> In any event, the purpose of my post wasn't really to find out how to use
> nmap, but to point out that: a) inetd is still very susceptible to DoS on a
> lot of machines (I crashed about 20-30 machines), and b) if used in what I
> consider to be the obvious manner, nmap is about as stealthy as a sledge
> hammer.  Although I'm using it to legitimately scan for Web servers, not for
> covert scans, some of you may care about the rather huge signature.
>
> I'll see if I can find a way to scan SGIs with nmap w/o crashing them and
> still maintain the performance advantage, and will report my findings to the
> list.
>
> -- Shawn
>
>
> > > Nmap is about 4 times faster, as it turns out, for doing
> > port scans, but it
> > > has this nasty side-effect.  It also seems to be sending
> > data, as it not
> > > only crashes inetd on IRIX, but it also crashes some service called
> > > 'sgi_fam' with an enormous amount of data.
> >
> > nmap -h:
> > --cut---
> >   -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
> > General timing policy
> > --cut---
> >
> > wont this help? Am I missing the point?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.