Nmap Development mailing list archives
Re: "tcpwrapped" false positives
From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 3 Feb 2015 12:58:55 -0600
On Tue, Feb 3, 2015 at 12:09 PM, <nnposter () users sourceforge net> wrote:
Daniel Miller wrote:Second, I'm not sure that 2 seconds is an appropriate time. Here's how a tcpwrappers rejection works, and why it's not an instant rejection: 1. We open a TCP connection to the host. I'm not certain of whether the handshake time counts toward the time left for the probe, but I think it does, since Nsock is asynchronous. 2. The host checks our address against its black- and white-lists. This oftentimes requires a reverse DNS lookup, and may even include an ident lookup. This is the primary source of delay. 3. The host resets the connection: half a round-trip for the RST packettoreach us.I understand Dan's reasoning but the reality is that there is no substantial wiggle room if 2 seconds is deemed not enough and 5 is definitely too much. If arbitrarily adopting a mid-point of 3-4 seconds is not palatable then it might be worth contemplating a question whether the value of having this heuristic detection of TCP wrappers is worth the mis-detections of impatient services. To put it bluntly, would it be worth supporting a 25 years old relic at the expense of not supporting more prevalent services?
Maybe we can compromise: have a short timeout which allows short-circuiting the fingerprint process, like your patch implements; but also apply the "tcpwrapped" designation if all the remaining probes receive a RST before the longer totalwaitms. If we wanted to get really fancy, we could have a stepped-down timeout based on the rarity of the probe: As more and more probes get sent (in order of rarity), the threshold for a RST to be considered "tcpwrapped" goes up with it. Since the major point of concern is the NULL probe (rarity 0), that gets the shortest threshold, meaning a service must have a very short timeout indeed to result in false "tcpwrapped" designation. Do you think either of these would be a good approach? Dan
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- "tcpwrapped" false positives nnposter (Jan 02)
- Re: "tcpwrapped" false positives Daniel Miller (Jan 14)
- Re: "tcpwrapped" false positives nnposter (Feb 03)
- Re: "tcpwrapped" false positives Daniel Miller (Feb 03)
- Re: "tcpwrapped" false positives Daniel Miller (Feb 04)
- Re: "tcpwrapped" false positives nnposter (Feb 03)
- Re: "tcpwrapped" false positives Daniel Miller (Jan 14)