Nmap Development mailing list archives
Re: nmap 4: Still no MSS in SYN scans?
From: Fyodor <fyodor () insecure org>
Date: Thu, 2 Feb 2006 18:21:52 -0800
On Wed, Feb 01, 2006 at 02:01:41PM +0100, Juergen Schmidt wrote:
in November I reported, that nmap SYN scans can be easily detected and blocked, because they do not set TCP MSS. All TCP/IP implementations I checked, do set MSS on the initial SYN packet of a new TCP connection.
Interesting point. I decided to see just how rare SYN packets w/o TCP options are, so I sniffed my webserver for a few minutes to collect just over 10,000 SYN packets. Of those, here are the top 15 option combinations: 2073 <mss 1460,nop,nop,sackOK> 777 <mss 1452,nop,wscale 2,nop,nop,sackOK> 169 <mss 1460> 160 <mss 1452,nop,nop,sackOK> 150 <mss 1460,nop,nop,sackOK,nop,wscale 2> 91 <mss 1260,nop,nop,sackOK> 47 <mss 1412,nop,nop,sackOK> 47 <mss 1380,nop,nop,sackOK> 38 <mss 1460,nop,wscale 0,nop,nop,sackOK> 29 <mss 1440,nop,nop,sackOK> 25 <mss 1414,nop,nop,sackOK> 24 <mss 1460,nop,wscale 2,nop,nop,sackOK> 23 <mss 1440,nop,wscale 2,nop,nop,sackOK> 21 <mss 1460,nop,nop,sackOK,nop,wscale 0> 18 <mss 1420,nop,nop,sackOK> I didn't see a single no-option packet during the whole period. Adding this option will make each IP packet 10% bigger (44 bytes rather than 44), but that shouldn't hurt performance noticeably in the vast majority of cases. So I have added the TCP options <mss 1460> ("\x02\x04\x05\xb4") each time Nmap sends a packet with SYN set (including SYN/ACK), except for OS detection (which has always used a different set of options), for the next version of Nmap. If someone has a better/alternative idea, speak up! mss 1460 is common enough that it shouldn't raise any flags, yet a little shorter than the most common (mss, nop, nop, sackOK) combination above. Changelog: o Whenever Nmap sends packets with the SYN bit set (except for OS detection), it now includes the maximum segment size (MSS) tcp option with a value of 1460. This makes it stand out less as almost all hosts set at least this option. Thanks to Juergen Schmidt (ju(a)heisec.de) for the suggestion. Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- nmap 4: Still no MSS in SYN scans? Juergen Schmidt (Feb 01)
- Re: nmap 4: Still no MSS in SYN scans? Fyodor (Feb 02)
- Re: nmap 4: Still no MSS in SYN scans? Richard Moore (Feb 03)
- Re: nmap 4: Still no MSS in SYN scans? Fyodor (Feb 02)