Nmap Development mailing list archives

Re: Desired improvements in Nmap performance? [FASTER IS SLOWER]

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Tue, 2 Dec 2008 23:18:44 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 2 Dec 2008 21:32:26 +0000
Brandon Enright <bmenrigh () ucsd edu> wrote:

On Sun, 30 Nov 2008 18:24:59 -0700
David Fifield <david () bamsoftware com> wrote:

I'm starting a project to improve Nmap's performance and the
predictability of the length of its scans. This may involve tuning
performance parameters, adjusting the congestion control mechanism,
or other things not thought of yet.

What complaints do you have about Nmap's performance? One thing I
have heard is that for very large scans Nmap may be too slow, or
the time taken may be too unpredictable.

One possible improvement is I've identified is that sometimes scan
delay kicks in when I don't think it should. If a scan has just
started and I see the scan delay go from 0 to 5 ms I'm likely to
kill the scan and start it over.

Write back with possibilities you see for improvement. I'd like any
changes we make to be in response to actual user concerns.

David Fifield


I'll probably respond to this one several times as
I can come up with decent examples of things that should be looked at.

Brandon



This one is going to take a little bit of work to explain but the basic
idea behind it is that sometimes Nmap severely penalizes itself for
packet drop and never properly recovers from that penalty.

This manifests itself as very poor performance scanning Windows
machines when I scan from a highly tuned Linux scanning box but decent
performance when scanning from a zero-tuned Linux box.

When I dig into the problem, it seems that Windows (with the firewall
off) has a maximum outstanding RST limit (or max RST rate) that causes
it to drop a bunch of incoming SYNs if scanned too fast.  From a
well-tuned box Nmap goes over that rate immediately and slows way
down.  From a non-tuned box Nmap never goes above that rate and the
Windows machine scans quickly.

Here is an example from the tuned Linux machine:

$ time sudo nmap -T5 -PN -n -v -d -p- --open 128.54.184.49

Starting Nmap 4.76 ( http://nmap.org ) at 2008-12-02 23:10 GMT
- --------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 250, min 50, max 300
  max-scan-delay: TCP 5, UDP 1000
  parallelism: min 0, max 0
  max-retries: 2, host-timeout: 900000
  min-rate: 0, max-rate: 0
- ---------------------------------------------
Initiating SYN Stealth Scan at 23:10
Scanning 128.54.184.49 [65535 ports]
Packet capture filter (device eth0): dst host 132.239.1.114 and (icmp or ((tcp or udp) and (src host 128.54.184.49)))
Increased max_successful_tryno for 128.54.184.49 to 1 (packet drop)
Increased max_successful_tryno for 128.54.184.49 to 2 (packet drop)
Increasing send delay for 128.54.184.49 from 0 to 5 due to 60 out of 149 dropped probes since last increase.
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.76% done
Current sending rates: 136.30 packets / s, 5986.87 bytes / s.
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 1.16% done; ETC: 23:18 (0:07:58 remaining)
Current sending rates: 145.04 packets / s, 6372.70 bytes / s.
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 1.48% done; ETC: 23:18 (0:07:37 remaining)
Current sending rates: 149.91 packets / s, 6589.28 bytes / s.
Stats: 0:00:08 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 1.76% done; ETC: 23:17 (0:07:24 remaining)
Current sending rates: 153.56 packets / s, 6747.45 bytes / s.
Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 2.26% done; ETC: 23:17 (0:07:09 remaining)
Current sending rates: 157.86 packets / s, 6938.91 bytes / s.
Stats: 0:00:11 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 2.70% done; ETC: 23:17 (0:06:59 remaining)
Current sending rates: 161.05 packets / s, 7079.08 bytes / s.
Stats: 0:00:13 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 3.17% done; ETC: 23:17 (0:06:52 remaining)
Current sending rates: 162.01 packets / s, 7118.36 bytes / s.

... scan will take a long time, killed ...


Okay now here is the same scan from the non-tuned machine:

$ time sudo nmap -T5 -PN -n -v -d -p- --open 128.54.184.49

Starting Nmap 4.76 ( http://nmap.org ) at 2008-12-02 22:59 UTC
- --------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 250, min 50, max 300
  max-scan-delay: TCP 5, UDP 1000
  parallelism: min 0, max 0
  max-retries: 2, host-timeout: 900000
  min-rate: 0, max-rate: 0
- ---------------------------------------------
Initiating SYN Stealth Scan at 22:59
Scanning 128.54.184.49 [65535 ports]
Packet capture filter (device eth0): dst host 132.239.181.229 and (icmp or ((tcp or udp) and (src host 128.54.184.49)))
Increased max_successful_tryno for 128.54.184.49 to 1 (packet drop)
Discovered open port 49153/tcp on 128.54.184.49
Discovered open port 5357/tcp on 128.54.184.49
Increased max_successful_tryno for 128.54.184.49 to 2 (packet drop)
Discovered open port 49156/tcp on 128.54.184.49
Stats: 0:00:11 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 43.13% done; ETC: 22:59 (0:00:15 remaining)
Current sending rates: 2729.75 packets / s, 120056.77 bytes / s.
Discovered open port 135/tcp on 128.54.184.49
Discovered open port 49155/tcp on 128.54.184.49
Discovered open port 912/tcp on 128.54.184.49
Stats: 0:00:17 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 67.28% done; ETC: 22:59 (0:00:08 remaining)
Current sending rates: 2921.99 packets / s, 127823.48 bytes / s.
Discovered open port 49154/tcp on 128.54.184.49
Discovered open port 445/tcp on 128.54.184.49
Discovered open port 49152/tcp on 128.54.184.49
Discovered open port 990/tcp on 128.54.184.49
Discovered open port 49158/tcp on 128.54.184.49
Discovered open port 139/tcp on 128.54.184.49
Stats: 0:00:25 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 22:59 (0:00:00 remaining)
Current sending rates: 2864.25 packets / s, 124968.06 bytes / s.
Completed SYN Stealth Scan at 22:59, 26.14s elapsed (65535 total ports)
Overall sending rates: 2749.65 packets / s, 120984.58 bytes / s.
Host 128.54.184.49 appears to be up ... good.
Scanned at 2008-12-02 22:59:10 UTC for 26s
Interesting ports on 128.54.184.49:
Not shown: 65523 closed ports
Reason: 65523 resets
PORT      STATE SERVICE      REASON
135/tcp   open  msrpc        syn-ack
139/tcp   open  netbios-ssn  syn-ack
445/tcp   open  microsoft-ds syn-ack
912/tcp   open  unknown      syn-ack
990/tcp   open  ftps         syn-ack
5357/tcp  open  unknown      syn-ack
49152/tcp open  unknown      syn-ack
49153/tcp open  unknown      syn-ack
49154/tcp open  unknown      syn-ack
49155/tcp open  unknown      syn-ack
49156/tcp open  unknown      syn-ack
49158/tcp open  unknown      syn-ack
Final times for host: srtt: 899 rttvar: 50  to: 50000

Read from /usr/share/nmap: nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 26.27 seconds
           Raw packets sent: 71892 (3.163MB) | Rcvd: 65535 (2.621MB)

real    0m26.289s
user    0m0.653s
sys     0m0.712s


Notice that the non-tuned machine never gets above about 3000 pps.  It
isn't hitting the Windows "drop packets" condition and so never slows
down much.  My "solution" to the problem is on the tuned machine, cap
the packet rate with "--max-rate 4000" so that it never floods Windows
and overly penalizes itself from the resulting packet drops.  Here is
that scan:


$ time sudo nmap -T5 -PN -n -v -d -p- --open --max-rate 4000 128.54.184.49

Starting Nmap 4.76 ( http://nmap.org ) at 2008-12-02 23:09 GMT
- --------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 250, min 50, max 300
  max-scan-delay: TCP 5, UDP 1000
  parallelism: min 0, max 0
  max-retries: 2, host-timeout: 900000
  min-rate: 0, max-rate: 4000
- ---------------------------------------------
Initiating SYN Stealth Scan at 23:09
Scanning 128.54.184.49 [65535 ports]
Packet capture filter (device eth0): dst host 132.239.1.114 and (icmp or ((tcp or udp) and (src host 128.54.184.49)))
Increased max_successful_tryno for 128.54.184.49 to 1 (packet drop)
Discovered open port 49155/tcp on 128.54.184.49
Discovered open port 139/tcp on 128.54.184.49
Increased max_successful_tryno for 128.54.184.49 to 2 (packet drop)
Discovered open port 49152/tcp on 128.54.184.49
Discovered open port 135/tcp on 128.54.184.49
Discovered open port 49153/tcp on 128.54.184.49
Discovered open port 49156/tcp on 128.54.184.49
Discovered open port 990/tcp on 128.54.184.49
Discovered open port 49154/tcp on 128.54.184.49
Discovered open port 912/tcp on 128.54.184.49
Discovered open port 49158/tcp on 128.54.184.49
Discovered open port 5357/tcp on 128.54.184.49
Discovered open port 445/tcp on 128.54.184.49
Completed SYN Stealth Scan at 23:09, 34.60s elapsed (65535 total ports)
Overall sending rates: 2190.25 packets / s, 96371.01 bytes / s.
Host 128.54.184.49 appears to be up ... good.
Scanned at 2008-12-02 23:09:08 GMT for 34s
Interesting ports on 128.54.184.49:
Not shown: 65523 closed ports
Reason: 65523 resets
PORT      STATE SERVICE      REASON
135/tcp   open  msrpc        syn-ack
139/tcp   open  netbios-ssn  syn-ack
445/tcp   open  microsoft-ds syn-ack
912/tcp   open  unknown      syn-ack
990/tcp   open  ftps         syn-ack
5357/tcp  open  unknown      syn-ack
49152/tcp open  unknown      syn-ack
49153/tcp open  unknown      syn-ack
49154/tcp open  unknown      syn-ack
49155/tcp open  unknown      syn-ack
49156/tcp open  unknown      syn-ack
49158/tcp open  unknown      syn-ack
Final times for host: srtt: 607 rttvar: 32  to: 50000

Read from /usr/share/nmap: nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 34.69 seconds
           Raw packets sent: 75777 (3.334MB) | Rcvd: 65535 (2.621MB)

real    0m34.698s
user    0m0.438s
sys     0m0.445s


If this explanation isn't clear let me know and I'll see if I can
describe it better.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkk1wlsACgkQqaGPzAsl94JBpQCgoTv8WkJe2ZQeGVd/ecRl/wuh
3PYAoLdaDt1UdCwB2RY75NYPdZHNzbJ2
=Top6
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Desired improvements in Nmap performance? David Fifield (Nov 30)
- Re: Desired improvements in Nmap performance? sara fink (Dec 01)
- Re: Desired improvements in Nmap performance? DePriest, Jason R. (Dec 01)
- Re: Desired improvements in Nmap performance? Brandon Enright (Dec 02)
  - Re: Desired improvements in Nmap performance? [SCAN BUDDIES] Brandon Enright (Dec 02)
    - Re: Desired improvements in Nmap performance? [SCAN BUDDIES] David Fifield (Dec 02)
    - Re: [CAPS] Re: Desired improvements in Nmap performance? [SCAN BUDDIES] Brandon Enright (Dec 02)
    - Re: [CAPS] Re: Desired improvements in Nmap performance? [SCAN BUDDIES] David Fifield (Dec 02)
    - Re: Desired improvements in Nmap performance? [SCAN BUDDIES] Brandon Enright (Dec 02)
  - Re: Desired improvements in Nmap performance? [FASTER IS SLOWER] Brandon Enright (Dec 02)
    - Re: Desired improvements in Nmap performance? [FASTER IS SLOWER] David Fifield (Dec 02)
- Nmap performance work update David Fifield (Dec 08)
- <Possible follow-ups>
- Re: Desired improvements in Nmap performance? Rob Nicholls (Dec 01)
  - Re: Desired improvements in Nmap performance? sara fink (Dec 01)