mailing list archives
Re: some nmap tools
From: MadHat <madhat () unspecific com>
Date: Sun, 7 Dec 2003 18:03:14 -0600
On Dec 7, 2003, at 8:04 AM, Bo Cato wrote:
That's very interesting. 80k ethernet based machines to keep tabs on
seems like a daunting task.
80K IPs assigned by Arin and such. Of those ~25% of them respond when
probed with nmap.
You said you do it from a single host. I don't know what your
resources are obviously, but would it not be much more efficient to
decentralize this? I would think that even if you only deployed your
script / nmap solution to 3 more areas the network congestion on the
LAN (routers, switches, firewalls, etc) you are centralized from would
be significantly less as well as cutting the scan time down. Of course
you'd have to have a means to gather the reports and consolidate but
that's trivial. You may have all the bandwidth you need but typically
this is not the case. If you have the access to the resources to
deploy a total of 4 scanning sites, one would think that 4 x 32 would
be quicker and less network intensive to any one path than 1 x 32. The
key would be to make sure the scan sites don't overlap hops.
I was handed a box that was supposed to be doing this but not working
too well. At the time I was not given any additional resources and was
told to make do with what I had. I do have some goals to be able to
scan from separate hosts. These IPs are actually spread across several
data centers around the world, and eventually I will have a scanning
host in each data center, but I had to prove that it was worth the time
and money first.
I'm curious as to how much additional load/congestion 32 parallelized
(that a word?) scans place on your centralized scan point's LAN. If
it's of any real significance I image you have scheduled the scan to
begin and end during the least impactful 10 hour time frame... 9 PM -
7 AM for example depending on what time is prime time for the LAN the
scan is originating from.
I have the bandwidth and the box itself is not overly loaded by this.
I was lucky enough to get the box upgraded recently to a 2.6GHz (I
think) x86 with 1Gb RAM. I am running FreeBSD (4.8) and it seems to
hold up quite well. I was running on a <1G with 512Mb RAM and it was
working ok, still taking about the same amount of time, which lead me
to believe the issue was more network restraints and less hardware, but
who is going to turn down new hardware.
Because the boxes are spread all over the world, there isn't a best
time to run it, so I just do it in the middle of the night for the
I am also re evaluating how I am doing some things after discussing it
with Fyodor. Specifically how I can get more out of nmap's process
parallelization and not have to do so much myself.
I am also looking at how I store the data. As I mentioned before I
have looked at the nmapsql, but the database design does not scale well
for my needs and if I am spreading the nmap processes out to multiple
hosts anyway, I don't want them writing directly to the DB. The hosts
will not have access to the core server, but the core server will have
access to the scanning hosts. Also with the DB design, from the last
time I looked at it, it did not allow for Version scanning and I plan
on adding that is very soon. I am presently tweaking the
nmap-service-probes for my needs and environment.
I'm sure you've discussed this with fyodor already. I only mention it
out of curiosity.
Saturday, December 6, 2003, 10:16:15 PM, you wrote:
M> I have the responsibility of monitoring a large number of IPs for
M> security issues. One of the most important things for me was to
M> what was listening where and of course nmap is the only real
M> The problem was that my boss wanted me to be able to generate a
M> of how many new ports were opened in the last 24 hours, how many new
M> hosts in the past 24 hours, or even how many hosts we have live that
M> are Internet facing or web servers, etc...
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help () insecure org . List archive: http://seclists.org