Home|Ethical Hacking|
A scanner might not get a response to a SYN packet mainly for two reasons. Either the firewall or IDS (Intrusion Detection System) has blocked the SYN packet and discarded it, or the SYN packet or its reponse was lost somewhere in the channel.
For the first case, where the network is firewalled, the scanner has no way of being certain that a packet did not get lost in transit. So, to be certain, the scanner waits for a finite time and then resends the SYN packet.
For example Nmap retransmits the SYN two times before reaching the conclusion that the port is filtered. It then move to the next port.
The time a scanner waits for a response slows down the port scan. For a full port scan, the scanner has to do this waiting and retransmission for each of the 65535 ports.
Nmap has several configurable parameters to optimize the wait time and improve speed depending on the type of network. Alternate scanning techniques like stateless scanning improve the speed by not waiting for the response.
Paranoid scanning technique is the slowest. Its main purpose is to remain undetected and does its best to avoid alarming the host. Sneaky scan is done with one port at a time but it waits just 15 seconds between probes. Aggressive scanning is recommended for firewalled hosts. It waits only 1.25 seconds before timing out a probe and starts with an initial RTT expectation of 0.8 seconds.
PDF
0 comments:
Post a Comment