Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Net block scanning
From: "Michael" <michael () 0x90 ca>
Date: Sun, 15 Dec 2013 09:26:32 -0500


You'll want to consider three things before you do this scan:
 - Your ISP
 - Bandwidth
 - Keeping the scan running fast

First off, you want to make sure that your ISP is the appropriate venue
for this type of scanning. Many consumer ISP's will detect and block port
scanning of such a large range. On the other hand, if you're scanning from
a colo, you shouldn't run into any issues. Anyone who runs a server and
checks their logs will know that portscans are a very common occurrence.

One advantage Zmap has over Nmap is you can specify bandwidth directly. In
Nmap your best option is is to specify a max packet per second rate. A Syn
packet is 44 bytes, or 352 bits, I recommend getting your upload speed
from a site like speed.io or speedof.me and calculating:
Then take 1% of that number for MINRATE and 65% of that number for
MAXRATE. Or whatever values you are comfortable with, so long as your
maxrate is less than your effective upstream bandwidth.

Finally, nmap isn't turned by default to scan such large ranges, I
recommend a command line as follows, based on the experiences of Nmap
contributor Brandon Enright:
Nmap -sS -sV -O -p PORTLIST -d -PN -n -T4 --min-hostgroup 256
--minparallelism 64 -oA OUTPUTFILE --min-rate MINRATE --max-rate MAXRATE

A few things to note here, -n and -PN will reduce the bandwidth that you
use. If you want a faster scan you could increase min-hostgroup and
min-parallelism, but keep them in a 4:1 ratio. By default Nmap does a
pretty good job at dynamically deciding how fast it should send packets,
but you can run into trouble if your scan includes a lot of
slow/unresponsive hosts, nmap may mistakenly think that your connection is
slow. This is why I specify min-rate, I find it helps a scan run fast.

Hope that helps,

On Sun, December 15, 2013 4:12 am, Robin Cernin wrote:
Hi devs, Fyodor and all volunteers,

question about network block scans. I got approval from IPs owner to
perform scan that will identify which hosts are live in there network
and identify domain, ssh, smtp, ms-term-services, http, https and grab
their versions so we can identify possible exposed outofdate service
so we can safely find and patch those. I do not want to do anything

Right now its total 65 thousand of IPs.
I do not want to lift much eyebrows on this. Would anyone give me
pointers like bandwith, packets per seconds, which scan would give
accurate results. Should that be also discussed with the ISP on my
side +  the ISP on the other end so I won't melt their switches?

Also question is Nmap fast enough or shall I use something like Zmap for

Thank you in advanced,
Best Regards
Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]