[patch] Re: solaris rate-limiting RST,ACK (SYN scan)

[Martin Mačok <martin.macok () underground cz>]

On Wed, Jan 19, 2005 at 11:43:21AM +0100, Martin Mačok wrote:

> My idea to fix this is implementing an optional SYN scan variant that
> (1) does not distinguish between closed and filtered ports and (2) do
> not change timing/retrans values when (not) getting RST,ACK (late or
> if ever). Ie. it would just catch open ports and report others as
> "closed|filtered".

... and here you are (-sS --defeat_rst_ratelimit):

http://Xtrmntr.org/ORBman/tmp/nmap/nmap-3.81-defeat_RST_ratelimit.patch

(This patch assumes defeat_ICMP_ratelimit patch is applied because it
touches the same code. I could make a patch that does not depend on it
if someone really insists on it though...)

If you don't have Solaris 9 you can simulate it (not exactly, but very
close) on Linux with something like:
# iptables -A INPUT -i lo -p tcp -m multiport --destination-ports 25,53,8080,8081 -j ACCEPT
# iptables -A INPUT -i lo -p tcp -m limit --limit 40/s -j REJECT --reject-with tcp-reset
# iptables -A INPUT -i lo -p tcp -j DROP


Martin Mačok
ICT Security Consultant

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org