RE: Discovery Scanning Issues

From: Lyal Collins (lyal.collins@key2it.com.au)
Date: Sat Jan 07 2006 - 17:08:57 EST


My experience is:
 Many DSL modems run a embedded linux OS that performs the routing, NATing
firewalling etc.
Generally, iptables are used, with the ip_conntrack modules used for NATing.
Due to memory constraints, many DSL devices only have a limited ip_conntrack
pool size by default, somewhere between 512 and 1024 connections, afaik.
Also many DSL modems use a long timeout for established contrack routes,
often 2-5 days.

These factors combine to affect many things, such as bittorrents and some
other P2P traffic as well, not just nmap.

Googling on DSl ip_conntrack, and bit torrents is usually a good pointer
ideas, issues for your modem make/model.

I've found 2 workarounds that complement each other:
Use the -T Polite setting in nmap. This slows down the number of new
routes/sec (source IP:port, dest IP:port) created by nmap, and allows some
ip_conntracks to expire and thus be reused
Access the modem's command line e.g. via telnet, and tune the ip_conntrack
settings e.g
E.g on a D-Link 604T, these commands raise the ip_conntrack limit to 2048,
and reduces various timeouts significantly from the default firmware
settings. Depending on the amout of free RAM, you may be limited to 1024,
or more than 2048 - experiment and see if the modem still works, if not,
reboot/power cycle, and try different settings. Your milaeage may vary
significantly.

echo 2048 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
echo 50 > /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout
echo 5 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close
echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait
echo 1200 >
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait
echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait
echo 10 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 180 > /proc/sys/net/ipv4/tcp_keepalive_intvl

Of course, some DSL modems allow you to upload a custom firmware on Linux OS
distro, which would then allow you to tune the default parameters for your
purposes. I've not done this due to the time and learning curve involved,
but reportedly, some have had success with building and installing their own
firmware.

On other option, that often more disruption to your internal network, is to
use a 'dumber' USB-based DSL modem, and have your test box mangage all the
DSL network connectivity, ip_conntrack pools etc. This works, as long as
your test box is running a good firewall itself against external attacks.
The test box then becomes 'misison critical' in terms of your internet
access for other machies on the internal network.

Lyal

-----Original Message-----
From: kataka@hush.com [mailto:kataka@hush.com]
Sent: Sunday, 8 January 2006 2:48 AM
To: pen-test@securityfocus.com
Subject: DSL: Discovery Scanning Issues

DSL was finally brought to where I live, and I have started
experimenting with discovery scans using Nmap.

The problem is, if I try and scan for more than 1024 ports on a
single host, my cheep-o Zoom DSL router/modem/switch/thingy starts
to flake out, in the sense I can't ping my DSL router any more and
I loose connectivity to the Internet until I reset the router.

I believe this is because Nmap is filling up my router's NAT pool
or something. I've looked at the config of the router and it's only
got a 1024 connection NAPT port limit that cannot be adjusted and
timeouts measured in seconds as opposed to ms.

What should I do? Are other people with low-end DSL routers able to
overcome this problem? Should I look at getting a better router, if
so, what kind? Or, is it best to not scan through NAT and assign my
Internet Routable IP to my scanning box directly? If so, how would
this work under DSL, would I need to buy some kind of an Ethernet
to RJ-11 adapter card, configure routing, install PPP encapsulation
software on the box itself?

Concerned about your privacy? Instantly send FREE secure email, no account
required http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

----------------------------------------------------------------------------

--
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers
do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:20 EDT