mailing list archives
Re: nmap 4: Still no MSS in SYN scans?
From: Fyodor <fyodor () insecure org>
Date: Thu, 2 Feb 2006 18:21:52 -0800
On Wed, Feb 01, 2006 at 02:01:41PM +0100, Juergen Schmidt wrote:
in November I reported, that nmap SYN scans can be easily detected and blocked,
because they do not set TCP MSS. All TCP/IP implementations I checked, do
set MSS on the initial SYN packet of a new TCP connection.
Interesting point. I decided to see just how rare SYN packets w/o TCP
options are, so I sniffed my webserver for a few minutes to collect
just over 10,000 SYN packets. Of those, here are the top 15 option
2073 <mss 1460,nop,nop,sackOK>
777 <mss 1452,nop,wscale 2,nop,nop,sackOK>
169 <mss 1460>
160 <mss 1452,nop,nop,sackOK>
150 <mss 1460,nop,nop,sackOK,nop,wscale 2>
91 <mss 1260,nop,nop,sackOK>
47 <mss 1412,nop,nop,sackOK>
47 <mss 1380,nop,nop,sackOK>
38 <mss 1460,nop,wscale 0,nop,nop,sackOK>
29 <mss 1440,nop,nop,sackOK>
25 <mss 1414,nop,nop,sackOK>
24 <mss 1460,nop,wscale 2,nop,nop,sackOK>
23 <mss 1440,nop,wscale 2,nop,nop,sackOK>
21 <mss 1460,nop,nop,sackOK,nop,wscale 0>
18 <mss 1420,nop,nop,sackOK>
I didn't see a single no-option packet during the whole period.
Adding this option will make each IP packet 10% bigger (44 bytes rather
than 44), but that shouldn't hurt performance noticeably in the vast
majority of cases.
So I have added the TCP options <mss 1460> ("\x02\x04\x05\xb4") each
time Nmap sends a packet with SYN set (including SYN/ACK), except for
OS detection (which has always used a different set of options), for
the next version of Nmap.
If someone has a better/alternative idea, speak up! mss 1460 is
common enough that it shouldn't raise any flags, yet a little shorter
than the most common (mss, nop, nop, sackOK) combination above.
o Whenever Nmap sends packets with the SYN bit set (except for OS
detection), it now includes the maximum segment size (MSS) tcp
option with a value of 1460. This makes it stand out less as almost
all hosts set at least this option. Thanks to Juergen Schmidt
(ju(a)heisec.de) for the suggestion.
Sent through the nmap-dev mailing list