From: Conan the Librarian (conan_the_librarian@adelphia.net)
Date: Thu May 29 2003 - 14:57:52 EDT
I've done one or two scans in my time with a host of vendor's and open
source tools. It seems that if you are doing a SANS Top Ten for 1700 hosts,
your 16 hour time frame is a bit long. Let's assume that the scanner machine
is not cpu max'ed and causing the delays.
Your comment about "1700 hosts found" implies that you have set the scanner
to look for hosts, instead of specifying a list or tight range. Searching
for hosts usually involves some species of ICMP query or a connect attempt
via TCP. Doing this is going to add time as you have a limited number of
threads you can support at any one time and you must allow timeouts to occur
on absent/down machines before you can add another. Try being more specific
on your host list to avoid this. Also check out the default "host alive?"
settings on the scanner- you may be trying to connect to multiple protocols
or ports and not be aware of it.
Another thing that can add lots of time to a simple scan is name resolution
for each host found. Each resolution query is brief, but it does add up with
large segments involved in the scan. Disable name resolution to avoid this
problem.
Finally, sniff a scan session and look for network problems, esp with
congestion, time-outs, slow host responses and resolutions. Scanners are
relatively noisy and the increased load may burden the host(s) scanned or
some portion of the network. Any device causing issues should show up
clearly in the trace file.
If all else fails, a reliable standby is to break the scan into smaller
segments and run them via cron or AT.
Dr. Michael J Staggs
-----Original Message-----
From: Mark Phillips [mailto:mark@probably.co.uk]
Sent: Thursday, May 29, 2003 7:27 AM
To: pen-test@securityfocus.com
Subject: Scanning - anyone got ball park timings?
Hi,
What are peoples experiences of time scales when scanning ranges of hosts?
OK, so I know that's a "how long is a piece of string", but if people can
say what sort of times they're getting for a given size of IP range and
given type of scan, that would be helpful.
I've been running a "SANS 20" policy scan from ISS Internet Scanner 7,
across the Internet, and am seeing timings like 16 hours for 1700
addresses found. Is this realistic? Is this quick or slow? If it's slow,
do people have any hints and tips about how to speed up the whole process?
Any pointers muchos appreciated.
Cheers,
--Mark
---------------------------------------------------------------------------
----------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:33 EDT