Nmap Announce mailing list archives
Re: distributed nmap?
From: "Frasnelli, Dan" <dfrasnel () corewar com>
Date: Sun, 19 Mar 2000 16:05:55 -0800 (PST)
That sounds like a great idea, but it could backfire on Fyodor. The distributed method sounds alot like the DDoS tools that have gotten so much publicity. Many people who do not understand nmap may consider this new feature a threat.
Done properly, it would not have to appear as such. For example.. a common tactic I use when probing a network is to open a few xterms with sessions on 3-4 boxes not in the same netblock. Each host has an nmap session queued up; each session has only a couple ports to scan. So on one, I might have 'nmap -sS -P0 -p 22,79 [ip]', the other might have 'nmap -sS -P0 -p 113,139 [ip]', etc. which are cron'd to run an hour or more apart. Most nids do not offer trend analysis over that timespan (and with a major service provider with thousands of hits per second, this is impractical), so the scan slips under the wire. Covert network discovery is largely a directed search - scans are done for a limited set of services. Script kiddies or someone doing a complete audit tend to scan the full range of ports.. more detectable and depending on the number of hosts involved, a 'distributed attack'. A slick distributed method could be useful.. but the implications of being like a ddos depends on the operator. -- Dan Frasnelli Security analyst
Current thread:
- distributed nmap? Lorell Hathcock (Mar 18)
- Re: distributed nmap? Thomas Reinke (Mar 18)
- Re: distributed nmap? Arturo Busleiman (Mar 18)
- Re: distributed nmap? Lance Spitzner (Mar 19)
- Re: distributed nmap? Frasnelli, Dan (Mar 19)
- Re: distributed nmap? Aaron D. Turner (Mar 19)
- Re: distributed nmap? D . R . Tzeck (Mar 21)
- Re: distributed nmap? Arturo Busleiman (Mar 18)
- Re: distributed nmap? Thomas Reinke (Mar 18)
- <Possible follow-ups>
- Re: distributed nmap? Aaron D. Turner (Mar 19)
- Re: distributed nmap? Simple Nomad (Mar 24)