Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: nmap 4: Still no MSS in SYN scans?
From: Fyodor <fyodor () insecure org>
Date: Thu, 2 Feb 2006 18:21:52 -0800

On Wed, Feb 01, 2006 at 02:01:41PM +0100, Juergen Schmidt wrote:

in November I reported, that nmap SYN scans can be easily detected and blocked,
because they do not set TCP MSS. All TCP/IP implementations I checked, do
set MSS on the initial SYN packet of a new TCP connection.

Interesting point.  I decided to see just how rare SYN packets w/o TCP
options are, so I sniffed my webserver for a few minutes to collect
just over 10,000 SYN packets.  Of those, here are the top 15 option

   2073 <mss 1460,nop,nop,sackOK>
    777 <mss 1452,nop,wscale 2,nop,nop,sackOK>
    169 <mss 1460>
    160 <mss 1452,nop,nop,sackOK>
    150 <mss 1460,nop,nop,sackOK,nop,wscale 2>
     91 <mss 1260,nop,nop,sackOK>
     47 <mss 1412,nop,nop,sackOK>
     47 <mss 1380,nop,nop,sackOK>
     38 <mss 1460,nop,wscale 0,nop,nop,sackOK>
     29 <mss 1440,nop,nop,sackOK>
     25 <mss 1414,nop,nop,sackOK>
     24 <mss 1460,nop,wscale 2,nop,nop,sackOK>
     23 <mss 1440,nop,wscale 2,nop,nop,sackOK>
     21 <mss 1460,nop,nop,sackOK,nop,wscale 0>
     18 <mss 1420,nop,nop,sackOK>

I didn't see a single no-option packet during the whole period.
Adding this option will make each IP packet 10% bigger (44 bytes rather
than 44), but that shouldn't hurt performance noticeably in the vast
majority of cases.

So I have added the TCP options <mss 1460> ("\x02\x04\x05\xb4") each
time Nmap sends a packet with SYN set (including SYN/ACK), except for
OS detection (which has always used a different set of options), for
the next version of Nmap.

If someone has a better/alternative idea, speak up!  mss 1460 is
common enough that it shouldn't raise any flags, yet a little shorter
than the most common (mss, nop, nop, sackOK) combination above.


o Whenever Nmap sends packets with the SYN bit set (except for OS
  detection), it now includes the maximum segment size (MSS) tcp
  option with a value of 1460.  This makes it stand out less as almost
  all hosts set at least this option.  Thanks to Juergen Schmidt
  (ju(a)heisec.de) for the suggestion.


Sent through the nmap-dev mailing list

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]