[H-GEN] An iptables question ...

Anthony Towns aj at azure.humbug.org.au
Thu Sep 19 10:52:15 EDT 2002 

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

On Thu, Sep 19, 2002 at 10:10:26PM +1000, Robert Brockway wrote:
> It is particularly useful as it slows down many automated
> probing scripts.  If they get a port unreachable response they move on
> (launching the next probe on you or someone else), but if the just get
> silence they have to wait to timeout.

Of course, that's only because it's not done often enough for the
s'kiddies scripts to be threaded or have decent select loops. 

Given 150kbps of bandwidth, a SYN of at least 48 bytes and enough
bandwidth left over for a 48 byte NAK/ACK, say, you can only probe about
1500 ports per second, so given a timeout of, say, ten minutes then
you only need a couple of MB of RAM [0] to keep track of your ongoing
massively parallel probe. By comparson that's about how much memory a
copy of bash or ssh takes up on my laptop here.

Depending on how efficient your CPU is compared to how much bandwidth
you've got available, you might need to spend some more memory sorting
your probes by time, rather than host, which might be get interesting,
but given your average GHz box, with 256MB of RAM or better, bandwidth
(and hopefully the security of the boxes you're probing) is still going
to be your limiting factor.

Cheers,
aj

[0] #define BWDITH   150000
    #define MAX_PORT 10000
    #define TIMEOUT  600
    #define N_HOSTS  ((BWIDTH * TIMEOUT / 48 / 2) / MAX_PORT)    /* ~100 */

    ipv4addr_t hosts[N_HOSTS];                         /* ~400 bytes */
    int        portstatus[N_HOSTS][MAX_PORT];          /* ~4MB */

	/* bits 0-10 == what time the probe happened,
         * bits 11,12 == nothing, synsent, ackreceived, synack sent
         * bits 13-31 == whatever else you might need */

-- 
Anthony Towns <aj at humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

 ``If you don't do it now, you'll be one year older when you do.''

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/

More information about the General mailing list