OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: DOS on inetd w/ nmap
From: Ron DuFresne (dufresneWINTERNET.COM)
Date: Tue Apr 25 2000 - 17:46:58 CDT

I'm looking now and finding the most current beta is Nmap 2.30BETA21 ,
newer even then the 2.3BETA5 over here played with most recently. This
version on our end reports none of the newer -T flaggettes either.

Thanks,

Ron DuFresne

On Tue, 25 Apr 2000, Clifford, Shawn A wrote:

> I have nmap version 2.12 (the latest stable version), and 'nmap -h' doesn't
> show me those options for -T. To be fair, I didn't read through the man
> page for nmap in any detail before launching my scans.
>
> I did try variations of -sT, -sS, -sN, -P0, etc., along with -p 1- to scan
> all ports.
>
> I can try again against a test SGI with some of the options you mention, but
> it sounds like I will need to get a beta version of nmap.
>
> Also, will this make connections without sending data, or simply slow the
> rate of connections?
>
> For that matter, if I slow the connection rate down so that it doesn't crash
> inetd, then I might as well use netcat.
>
> There are 2 components, as I see it, that crash SGIs:
> 1) Too many connections to inetd in a short amount of time
> 2) Sending too much data to a service being "scanned". NetCat has
> -z option, which is for "zero-I/O mode [used for scanning]"
>
> In any event, the purpose of my post wasn't really to find out how to use
> nmap, but to point out that: a) inetd is still very susceptible to DoS on a
> lot of machines (I crashed about 20-30 machines), and b) if used in what I
> consider to be the obvious manner, nmap is about as stealthy as a sledge
> hammer. Although I'm using it to legitimately scan for Web servers, not for
> covert scans, some of you may care about the rather huge signature.
>
> I'll see if I can find a way to scan SGIs with nmap w/o crashing them and
> still maintain the performance advantage, and will report my findings to the
> list.
>
> -- Shawn
>
>
> > > Nmap is about 4 times faster, as it turns out, for doing
> > port scans, but it
> > > has this nasty side-effect. It also seems to be sending
> > data, as it not
> > > only crashes inetd on IRIX, but it also crashes some service called
> > > 'sgi_fam' with an enormous amount of data.
> >
> > nmap -h:
> > --cut---
> > -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
> > General timing policy
> > --cut---
> >
> > wont this help? Am I missing the point?
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.