You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am hoping to create a followup discussion for this issue: #819
I am interested in if @dbomma found the performance they are looking for on AWS or if the problem was only an issue with zmap. As the issue showed, the ec2 c6a.8xlarge server was tested up to 2600mbit/s of bandwidth. However, SYN packet scanning involves sending single packets to tons of different IP's which seems like a different scenario entirely from using the speedtest-cli to measure bandwidth between two hosts. I've read ~7 year old issues on the masscan repo that talk about using a certain masscan command line switch and host firewall rule combination to prevent overwhelming some sort of EC2 virtual network state table. I don't really know the details of that particular case or whether that kind of thing is still relevant, which brings me to creating this discussion.
So, are there any issues or gotchas with using EC2/digitalocean/GCP to scan, or does it actually all just work with fairly default configurations nowadays? What sort of things need to be tuned besides rate, if anything? What sort of reliable rates can be expected from various instance and networking combinations? I usually see that anything past 2000 packets per second starts to get into "lots of misses" territory even on t3/t3a AWS instances, but that's kind of hard for me to actually measure (see #744 )
Outside of potential virtualized infrastructure problems, what are some other factors that are likely to affect the accuracy of repeat scans in particular? How many networks out there notice SYN scans and actively start blocking? Do providers care? Any specific security appliances to call out? Have people seen more success with the syn-ack scan option of zmap? Perhaps, is a TCP Connect style scan where the code simply asks the OS to attempt a connection and waits for a timeout more likely to produce accurate results nowadays?
I am not really expecting to get exact answers to my many questions, but if anyone has more real world scanning advice to share it would be appreciated.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I am hoping to create a followup discussion for this issue: #819
I am interested in if @dbomma found the performance they are looking for on AWS or if the problem was only an issue with zmap. As the issue showed, the ec2 c6a.8xlarge server was tested up to 2600mbit/s of bandwidth. However, SYN packet scanning involves sending single packets to tons of different IP's which seems like a different scenario entirely from using the speedtest-cli to measure bandwidth between two hosts. I've read ~7 year old issues on the masscan repo that talk about using a certain masscan command line switch and host firewall rule combination to prevent overwhelming some sort of EC2 virtual network state table. I don't really know the details of that particular case or whether that kind of thing is still relevant, which brings me to creating this discussion.
So, are there any issues or gotchas with using EC2/digitalocean/GCP to scan, or does it actually all just work with fairly default configurations nowadays? What sort of things need to be tuned besides rate, if anything? What sort of reliable rates can be expected from various instance and networking combinations? I usually see that anything past 2000 packets per second starts to get into "lots of misses" territory even on t3/t3a AWS instances, but that's kind of hard for me to actually measure (see #744 )
Outside of potential virtualized infrastructure problems, what are some other factors that are likely to affect the accuracy of repeat scans in particular? How many networks out there notice SYN scans and actively start blocking? Do providers care? Any specific security appliances to call out? Have people seen more success with the syn-ack scan option of zmap? Perhaps, is a TCP Connect style scan where the code simply asks the OS to attempt a connection and waits for a timeout more likely to produce accurate results nowadays?
I am not really expecting to get exact answers to my many questions, but if anyone has more real world scanning advice to share it would be appreciated.
Beta Was this translation helpful? Give feedback.
All reactions