Nmap employs a technique of auto-timing which, while very good if the host responds to port scans, will drag the scan into the mud if the host does not respond at all. In fact, it is possible to configure a host so that it functions as a port scan "tarpit" by adjusting how the host responds to the scan.
I've found, as a matter of general practice, that you must manually adjust nmap's timing parameters to get reasonable scan times. If you know that the target network can be pinged reliably with 60ms return times, and that the scan will not trigger active defensive mechanisms which will affect reply times, then you can get a reasonably accurate result if you set the max_rtt_timeout to something like 300 ms. Of course, the higher this number, the more accurate your scan becomes, with decreasing returns on your investment of time. I typically use 500ms scan times just to be sure. I usually get a completion rate of 5 hosts per day with this arrangement, assuming I'm scanning all TCP and UDP ports. On Mon, 2002-10-14 at 11:14, [EMAIL PROTECTED] wrote: > Hi all, > > I know this isn't really a Nessus issue, but it certainly affects Nessus. > Over the last 6 months or so, I have seen NMAP performance tank heavily on > a number of Linux systems I administer. It is a particular problem with > full NMAP scans such as 'nmap -sT -p 1-65535 target.txt'. Whereas in the > past, these would complete in a reasonable amount of time (less than an > hour maybe, sometimes a bit more) I am now seeing them take days, > sometimes not even completing at all. It is especially problematic on > Internet hosts, and doesn't seem to rear its head much on the LAN side > scans. I have set up a number of scans, and have seen results range from > very slow, to the process dumping mysteriously (no messages to indicate > why), to "RESOURCE UNAVAILABLE" messages being generated when using > 'strace' to monitor the process. > > I have tried it on different systems (all Linux) and the results are > similar (if erratic). I have tried it on different ISP connections, and > have gotten the same results. I have tried it on different hardware, and > again the same results. > > I'm wondering if maybe there was a change in the Linux Kernel or > something. At this point, I'm just throwing this out there to see if > anyone has any comments. I know that I can do a number of things such as > an alternate OS, Internet connection, and limiting the number of ports > scanned, etc, etc. but am more interested in hearing if anyone else has > seen this. It is possible that it is limited to my locale in some way > (possibly our local ISPs have something in common) > > Thanks, > > Mark Lachniet > > > - > [EMAIL PROTECTED]: general discussions about Nessus. > * To unsubscribe, send a mail to [EMAIL PROTECTED] with > "unsubscribe nessus" in the body. - [EMAIL PROTECTED]: general discussions about Nessus. * To unsubscribe, send a mail to [EMAIL PROTECTED] with "unsubscribe nessus" in the body.
