I've done one or two scans in my time with a host of vendor's and open source tools. It seems that if you are doing a SANS Top Ten for 1700 hosts, your 16 hour time frame is a bit long. Let's assume that the scanner machine is not cpu max'ed and causing the delays. Your comment about "1700 hosts found" implies that you have set the scanner to look for hosts, instead of specifying a list or tight range. Searching for hosts usually involves some species of ICMP query or a connect attempt via TCP. Doing this is going to add time as you have a limited number of threads you can support at any one time and you must allow timeouts to occur on absent/down machines before you can add another. Try being more specific on your host list to avoid this. Also check out the default "host alive?" settings on the scanner- you may be trying to connect to multiple protocols or ports and not be aware of it. Another thing that can add lots of time to a simple scan is name resolution for each host found. Each resolution query is brief, but it does add up with large segments involved in the scan. Disable name resolution to avoid this problem. Finally, sniff a scan session and look for network problems, esp with congestion, time-outs, slow host responses and resolutions. Scanners are relatively noisy and the increased load may burden the host(s) scanned or some portion of the network. Any device causing issues should show up clearly in the trace file. If all else fails, a reliable standby is to break the scan into smaller segments and run them via cron or AT. Dr. Michael J Staggs -----Original Message----- From: Mark Phillips [mailto:markat_private] Sent: Thursday, May 29, 2003 7:27 AM To: pen-testat_private Subject: Scanning - anyone got ball park timings? Hi, What are peoples experiences of time scales when scanning ranges of hosts? OK, so I know that's a "how long is a piece of string", but if people can say what sort of times they're getting for a given size of IP range and given type of scan, that would be helpful. I've been running a "SANS 20" policy scan from ISS Internet Scanner 7, across the Internet, and am seeing timings like 16 hours for 1700 addresses found. Is this realistic? Is this quick or slow? If it's slow, do people have any hints and tips about how to speed up the whole process? Any pointers muchos appreciated. Cheers, --Mark --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu May 29 2003 - 13:01:05 PDT