Home page logo
/

Nmap Announce mailing list archives

Re: distributed nmap?
From: "Frasnelli, Dan" <dfrasnel () corewar com>
Date: Sun, 19 Mar 2000 16:05:55 -0800 (PST)


That sounds like a great idea, but it could backfire on Fyodor.
The distributed method sounds alot like the DDoS tools that have
gotten so much publicity.  Many people who do not understand nmap
may consider this new feature a threat.

Done properly, it would not have to appear as such.  
For example.. a common tactic I use when probing a network 
is to open a few xterms with sessions on 3-4 boxes not in
the same netblock.  Each host has an nmap session queued up; 
each session has only a couple ports to scan.  

So on one, I might have 'nmap -sS -P0 -p 22,79 [ip]', 
the other might have 'nmap -sS -P0 -p 113,139 [ip]', etc. which 
are cron'd to run an hour or more apart.  Most nids do not offer 
trend analysis over that timespan (and with a major service
 provider with thousands of hits per second, this is impractical),
so the scan slips under the wire.  

Covert network discovery is largely a directed search - scans are done
for a limited set of services.  Script kiddies or someone doing a 
complete audit tend to scan the full range of ports.. more detectable
and depending on the number of hosts involved, a 'distributed attack'.
A slick distributed method could be useful.. but the implications of 
being like a ddos depends on the operator.
--
Dan Frasnelli
Security analyst



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]