Nmap Development mailing list archives
nmap-3.7x MUCH slower than nmap-3.55 against firewalled hosts
From: Martin Mačok <martin.macok () underground cz>
Date: Wed, 15 Dec 2004 14:00:28 +0100
The difference is really huge - it is HOURS with 3.55 versus DAYS with 3.7[58] against firewalled C block. Quick look at the generated traffic suggests that the problem is when the target rate-limits outgoing ICMP unreachables (admin prohibited) which is well handled by nmap-3.55's algorithm but sloppily handled by nmap-3.7[58] (which is heavily retransmitting in that case). I've come around 2 different networks this week which exhibits this behaviour and my well experienced colleague tells that this behaviour is very common. Possible workaround would be some cmdline options for better limiting the retransmition (setting --max_scan_delay is *by far* not enough to achieve nmap-3.55's speed, I would at least like to see an option for limiting max_successful_tryno) with sensible defaults but I would definitely like the nmap-3.55 behaviour which is much more clever in that case (from looking at the packet trace). Example (53 seconds versus 1214 seconds): % nmap -vvv -F -sS TARGET Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2004-12-15 13:15 CET Host TARGET (TARGET) appears to be up ... good. Initiating SYN Stealth Scan against TARGET (TARGET) at 13:15 Adding open port 53/tcp Adding open port 22/tcp Adding open port 25/tcp Adding open port 3128/tcp The SYN Stealth Scan took 53 seconds to scan 1220 ports. Interesting ports on TARGET (TARGET): (The 1214 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp closed http 443/tcp closed https 3128/tcp open squid-http Nmap run completed -- 1 IP address (1 host up) scanned in 53.328 seconds % nmap -vvv -F -sS TARGET Starting nmap 3.78 ( http://www.insecure.org/nmap/ ) at 2004-12-15 13:20 CET Initiating SYN Stealth Scan against TARGET (TARGET) [1223 ports] at 13:20 Discovered open port 25/tcp on TARGET Discovered open port 22/tcp on TARGET Discovered open port 53/tcp on TARGET Increasing send delay for TARGET from 0 to 5 due to max_successful_tryno increase to 4 Increasing send delay for TARGET from 5 to 10 due to max_successful_tryno increase to 5 Increasing send delay for TARGET from 10 to 20 due to max_successful_tryno increase to 6 Increasing send delay for TARGET from 20 to 40 due to max_successful_tryno increase to 7 Increasing send delay for TARGET from 40 to 80 due to max_successful_tryno increase to 8 Increasing send delay for TARGET from 80 to 160 due to max_successful_tryno increase to 9 Increasing send delay for TARGET from 160 to 320 due to 11 out of 18 dropped probes since last increase. SYN Stealth Scan Timing: About 4.88% done; ETC: 13:30 (0:09:46 remaining) Increasing send delay for TARGET from 320 to 640 due to 11 out of 12 dropped probes since last increase. Increasing send delay for TARGET from 640 to 1000 due to 11 out of 20 dropped probes since last increase. SYN Stealth Scan Timing: About 52.89% done; ETC: 13:39 (0:09:11 remaining) Discovered open port 3128/tcp on TARGET The SYN Stealth Scan took 1214.00s to scan 1223 total ports. Host TARGET (TARGET) appears to be up ... good. Interesting ports on TARGET (TARGET): (The 1217 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp closed http 443/tcp closed https 3128/tcp open squid-http Nmap run completed -- 1 IP address (1 host up) scanned in 1214.118 seconds I can make a packet capture and upload it somewhere if needed or provide any other info/test you want. Martin Mačok IT Security Consultant --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- nmap-3.7x MUCH slower than nmap-3.55 against firewalled hosts Martin Mačok (Dec 15)
- Re: nmap-3.7x MUCH slower than nmap-3.55 against firewalled hosts Fyodor (Dec 16)
- Re: nmap-3.7x MUCH slower than nmap-3.55 against firewalled hosts Martin Mačok (Dec 16)
- Re: nmap-3.7x MUCH slower than nmap-3.55 against firewalled hosts Martin Mačok (Dec 16)
- [patch] Re: nmap-3.7x MUCH slower than nmap-3.55 against firewalled hosts Martin Mačok (Dec 19)
- Re: [patch] Re: nmap-3.7x MUCH slower than nmap-3.55 against firewalled hosts Martin Mačok (Dec 20)
- Re: [patch] Re: nmap-3.7x MUCH slower than nmap-3.55 against firewalled hosts Martin Mačok (Dec 20)
- Re: nmap-3.7x MUCH slower than nmap-3.55 against firewalled hosts Martin Mačok (Dec 16)
- Re: nmap-3.7x MUCH slower than nmap-3.55 against firewalled hosts Fyodor (Dec 16)