Vulnerability Development mailing list archives
Re: DOS on inetd w/ nmap
From: john.bock () MARCHFIRST COM (John Bock)
Date: Tue, 25 Apr 2000 10:04:28 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Perhaps there is a way to make nmap "low-and-slow"?
Have you tried using any of the timing options?
- From the man page:
TIMING OPTIONS
Generally Nmap does a good job at adjusting for
Network characteristics at runtime and scanning as
fast as possible while minimizing that chances of
hosts/ports going undetected. However, there are
same cases where Nmap's default timing policy may
not meet your objectives. The following options
provide a fine level of control over the scan tim-
ing:
-T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
These are canned timing policies for conveniently
expressing your priorities to Nmap. Paranoid mode
scans very slowly in the hopes of avoiding detec-
tion by IDS systems. It serializes all scans (no
parallel scanning) and generally waits at least 5
minutes between sending packets. Sneaky is simi-
lar, except it only waits 15 seconds between send-
ing packets. Polite is meant to ease load on the
network and reduce the chances of crashing
machines. It serializes the probes and waits at
least 0.4 seconds between them. Normal is the
default Nmap behaviour, which tries to run as
quickly as possible without overloading the network
or missing hosts/ports. Aggressive mode adds a 5
minute timeout per host and it never waits more
than 1.25 seconds for probe responses. Insane is
only suitable for very fast networks or where you
don't mind losing some information. It times out
hosts in 75 seconds and only waits 0.3 seconds for
individual probes. It does allow for very quick
network sweeps though :). You can also reference
these by number (0-5). For example, '-T 0' gives
you Paranoid mode and '-T 5' is Insane mode.
Please respond to "Clifford, Shawn A" <shawn.a.clifford () LMCO COM>
To: VULN-DEV () SECURITYFOCUS COM
cc: (bcc: John Bock/Whittman-Hart LP)
Subject: DOS on inetd w/ nmap
Hi All,
The problem is that inetd will abort when too many connections are made.
This is an old problem that appears to still be a problem even on some newer
OSes, specifically IRIX (*all* 6.2-6.5, others?), some HP-UX (B.10.20, but
only on some machines... dunno why), and of course old SunOS 4.1.3/4.1.4
machines (only some!). You must then log on at the console (unless you had
a remote window open to the machine prior to inetd exiting) and either
restard inetd or reboot the machine.
I was fiddling with the 'httpd_scan.pl' script that I posted a while back,
which is predicated on NetCat for the port scanning and for sending http
GETs to possible servers, when I thought I would substitute 'nmap' for 'nc'
in my script.
Nmap is about 4 times faster, as it turns out, for doing port scans, but it
has this nasty side-effect. It also seems to be sending data, as it not
only crashes inetd on IRIX, but it also crashes some service called
'sgi_fam' with an enormous amount of data.
/var/adm/SYSLOG entry:
Apr 5 18:30:43 3D:node famd: fd 10 message length 1212498244 bytes exceeds
max of 1064.
What's doubly annoying about this is that nmap is such a good tool,
otherwise, and is being promoted by SANS as a tool of choice. Clearly
crashing inetd isn't very subtle. Perhaps there is a way to make nmap
"low-and-slow"?
Although netcat is much slower, and doesn't have the fingerprinting
capability of nmap, I will have to keep using 'nc' for my Web server scans.
Regards,
- -- Shawn
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3
iQA/AwUBOQWzziwFkokFbeHBEQJ+AQCgrMOoU5z204xzb4UVQVG2nw0w+/wAoOqo
1U4SvutEhZtYk60y59s59FOy
=XnxZ
-----END PGP SIGNATURE-----
Current thread:
- Re: DOS on inetd w/ nmap Clifford, Shawn A (Apr 25)
- Re: DOS on inetd w/ nmap Ron DuFresne (Apr 25)
- Re: DOS on inetd w/ nmap Pete Philips (Apr 26)
- Modifying NT credential and RAZOR's analysis of dvwsrr.dll Iván Arce (Apr 26)
- Notes crashed Blue Boar (Apr 26)
- <Possible follow-ups>
- Re: DOS on inetd w/ nmap John Bock (Apr 25)