Home page logo

nmap-dev logo Nmap Development mailing list archives

RE: Nmap says Host down when actually host is up.
From: "Dario Ciccarone (dciccaro)" <dciccaro () cisco com>
Date: Fri, 26 Oct 2007 11:07:46 -0400

Yeah, for what is worth, I kind of agree with this approach.

And even if someone came up with the full details (topology, packet
captures, device versions, etc) - would it make at all sense to add a
bunch of code to detect a corner case? Yes - if Fyodor is shooting for
perfection this week. Not, if it is some weird combination of OS/load
balancer/firewall/NAT/router/etc it is probably going to be seen in the
wilde once in a blue moon :)


-----Original Message-----
From: Fyodor [mailto:fyodor () insecure org] 
Sent: Friday, October 26, 2007 3:50 AM
To: Brandon Enright
Cc: kx; nmap-dev () insecure org; Dario Ciccarone (dciccaro); Swapnali
Subject: Re: Nmap says Host down when actually host is up.

On Fri, Oct 26, 2007 at 07:10:33AM +0000, Brandon Enright wrote:

I haven't given it more than 2 seconds of thought, but we could try
something TCP SYNCOOKIE inspired for our ICMP ECHO requests.

Hi Brandon.  The response already has enough information (e.g. ICMP
sequence and ID numbers) for us to recognize it.  But I think in most
cases where we get a response from a different IP than the target we
sent to, it is because the target host forwarded the request
(e.g. subnet-directed broadcast) to other machines, and one or more of
them answered.  In that case, for us to mark the target as up would be
a false postive.  For us to change that behavior and mark the host as
up, I would want some evidence that actual online hosts responding
with the wrong IP is a normal occurence.


Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]