Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Increasing UDP Scanning with virtual hosts

From: David Fifield <david () bamsoftware com>
Date: Mon, 1 Feb 2010 12:52:44 -0700
On Sat, Jan 30, 2010 at 04:02:53PM -0500, sham0day sham0day wrote:

The following strategy was initially intended to increase the speed of UDP
scanning, but it could also be used to increase the speed of any host that
is rate limited.

During a UDP scan if we receive an “ICMP port unreachable” message then we
know the port is probably closed. Unfortunately many targets rate-limit the
the number of ICMP port unreachable messages to 1 a second (ex Linux hosts).
Nmap will throttle its scan to compensate for this. RFC 1812 section 4.3.2.8
states that ICMP rate limits can occur in 3 ways – count based, timer based,
and bandwidth based. The first two rate limits appear to target specific
source hosts.

In order to get around this, it seems possible to speed the UDP scan by
changing the source host. So if multiple sources were scanning a target, it
can avoid this ICMP port unreachable rate limit because each individual
source would get rate-limited (1 per second on linux), but not all sources
combined. This would work unless the rate limit was bandwidth-based.

So to avoid these rate limits, Nmap could utilize virtual host adapters so
it could scan targets from “multiple sources” simultaneously. This would
greatly increase the speed of a UDP scan and could also increase the speed
of any scan that is getting rate limited. Creating virtual host adapters
(with their own IP and MAC) to avoid rate limits could be a great feature in
new versions of Nmap.


I tried scanning Linux from two other points on a LAN, and the Linux did
indeed do its rate-limiting per-host. So with two addresses a scan could
go twice as fast. I don't know if it would work if both scanning hosts
had the same MAC address.

This wouldn't be too easy to add to Nmap, but I guess it's possible. I
can imagine running a command like
        nmap -sU -e eth0:0 -e eth0:1 -e eth0:2 -e eth0:3
to make Nmap round-robin between the different addresses.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: