'Re: nmap on a scan server'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nmap-dev
Subject:    Re: nmap on a scan server
From:       MadHat <madhat () unspecific ! com>
Date:       2003-08-26 23:15:30
[Download RAW message or body]

On Tue, 2003-08-26 at 09:42, Juergen Schmidt wrote:
> Hello,
> 
> we are thinking about setting up a public self scan service. Of cause we
> want to do the scans with nmap. We are planning to start the scans via ssh
> on a dedicated machine to seperate this from the web server.

I am not going to mention the security concerns.

> As we are expecting a huge load (especially in
> the peaks) we need to make this as fast as possible. We are talking
> about hundreds if not thousands of parallel scan requests.
> 
> Does anybody has experience with this kind of load?
> 

some what.  I find that on a single P4 2.26GHz machine with 1G RAM,  I
can run about 32 processes in parallel and still be able to use the box.

> Any kind of information is appreciated, especially:
> 
> Is it possible, to run many nmap instances in parallel?

Yes.  Though I can not guarantee you won't have any issues, I have not
experienced any.

> Are there known limits?

CPU, memory, bandwidth...

> Anybody with experience on running 100 nmap instances on one machine?

As I mentioned above I limit mine to about 32 processes at a time.  I
have a script that launches 1 nmap process after another keeping a
constant 32 running at any point in time.   I do this so I scan around
80K IPs in just under 10 hours, with OS detection.  Without OS detection
it is faster.

> Do I have to expect weird results because of incoming packets not
> delivered to the right nmap instance?

Like I said, not that I have noticed, but if there was 1 or 2 errors, I
wouldn't catch it.

> What are good timing options for a TCP Syn scan on port 1-1024, that
> should be reliable *and* fast?

I use 
-sS -F -PE -O -TAggressive
for my scans, but it depends on the results you are expecting.  Also
note that using -sS which is faster, has to run as root, so nmap would
have to be SetUID, or ssh as root, or have sudo setup to allow nmap to
be run as root without a password, or something similar.  Same issue for
-O and -PE

> Is it making sense to start nmap directly via ssh or is it better, to have
> a perl script as a wrapper on the scan machine?

Well, that comes into how you want to get the data back to the web
server.  If you have "hundreds" running at once, then you have the box
with hundreds of SSH connections, as well as hundreds of nmap
processes.  Bandwidth could be an issue, load would be an issue, etc...

You may want to look at 
http://www.insecure.org/nmap/nmap_relatedprojects.html
Specifically: Remote nmap (Rnmap) or Spidermap

I have not used them personally, but they might give you some ideas to
work with.

-- 
MadHat at Unspecific.com
`But I don't want to go among mad people,' Alice remarked.
`Oh, you can't help that,' said the Cat: `we're all mad here...'
   -- Lewis Carroll - _Alice's_Adventures_in_Wonderland_


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help@insecure.org . List run by ezmlm-idx (www.ezmlm.org).


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic