mailing list archives
Re: nse crypto
From: "Luis MartinGarcia." <luis.mgarc () gmail com>
Date: Sun, 20 Mar 2011 19:51:58 +0100
On 03/15/2011 01:01 AM, David Fifield wrote:
On Tue, Mar 15, 2011 at 01:31:21AM +0200, Toni Ruottu wrote:
What amount should we target. A high value might be good for protecting
against brute force password cracking, but does it also hinder performance
in regular use?
I'm not suggesting that we change the nsock_loop timeout. My guess is
that the way it works now is unintentional (because the comment doesn't
match the code), but the fact that it only allows one password guess per
second could be regarded as a feature. It does mean that when connecting
normally, you could be delayed up to a second.
The comment is obviously wrong so I've changed it to reflect what the
code actually does. However, the code is doing what it's supposed to,
which is, doing asynchronous accept()s at the server side. When I
implemented the Echo server I found out that Nsock does not provide
asynchronous "server-side functions", so I had to introduce a small hack
in order to avoid accept() system calls that block the caller (we need
this since Nping is mono-threaded and non-forkeable by design).
However, Toni, you are right that the code limits incoming connections
to a rate of 1 connection per second. I think this is very reasonable,
but I'm open for discussion if there is interest on decreasing the
timeout value and there are reasons beyond weak password auditing.
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/