Re: [updated patch] Re: fragment scan got broken between 3.50 and 3.75

[Martin Mačok <martin.macok () underground cz>]

On Mon, Jan 31, 2005 at 10:36:51AM +0100, Martin Mačok wrote:

> > defeat_ICMP_ratelimit - This will certainly speed things up, but there
> >                         is a risk of decreasing accuracy.
>
> 1) Nmap-3.7x with this patch is not less accurate than stock Nmap-3.5x
>
> 2) Nmap-3.7x without this patch is too much slow against ratelimited
>    ICMP DU (1 port costs 1 second), Nmap-3.5x is fast (in my opinion,
>    Nmap-3.7x is almost unusable because of this behaviour - it is
>    *seconds* with 3.5x versus *hours* with 3.7x while getting the same
>    results in both cases)
>
> 3) ratelimited ICMP DU is common (almost every TCP/IP stack except of
>    Microsoft Windows implements it) and RFC-recommended behaviour

4) without the patch, scanning hosts where "filtered == DROP" is much
   faster than those where "filtered == REJECT" which is at least
   'unexpected' behaviour

5) with this patch, IF there is a host where "filtered == REJECT" and
   Nmap misses some open port THEN Nmap without this patch against
   the same host with "filtered == DROP" would miss it too

> I don't see the risk and even if there theoretically is, that kind of
> slowness is not worth it IMHO.
>
> I could implement something along "--do_not_defeat_ICMP_ratelimit"
> though...

Martin Mačok
ICT Security Consultant

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org