[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [ISSForum] Optimizing Internet Scanner

To: "Evans, Mark (Contractor)" <EvansM@xxxxxxxxxxxxxxxx>, "Wisniewski, Michael" <wiz@xxxxxxx>, <issforum@xxxxxxx>
Subject: RE: [ISSForum] Optimizing Internet Scanner
From: "Sacchi Mario" <Mario.Sacchi@xxxxxxxxxxxx>
Date: Thu, 5 Dec 2002 10:06:10 +0100
Delivery-date: Thu, 05 Dec 2002 20:44:56 +0100
Envelope-to: iss@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
List-archive: <https://atla-mm1.iss.net/mailman/private/issforum/>
List-help: <mailto:issforum-request@iss.net?subject=help>
List-id: ISS Forum <issforum.iss.net>
List-post: <mailto:issforum@iss.net>
List-subscribe: <https://atla-mm1.iss.net/mailman/listinfo/issforum>, <mailto:issforum-request@iss.net?subject=subscribe>
List-unsubscribe: <https://atla-mm1.iss.net/mailman/listinfo/issforum>, <mailto:issforum-request@iss.net?subject=unsubscribe>
Sender: issforum-admin@xxxxxxx
Thread-index: AcKa79QNB8n4pnUlQl+H5GbaXfid8gBRxq0g
Thread-topic: [ISSForum] Optimizing Internet Scanner

Title: Message

Right, of course. I just tried to point out the main levers you could move to have your job done... CPU power isn't the key since Michael himself tells us it didn't increase performances. Clearly, doubling scan threads will double (or more) CPU consumption... Another key is bandwidth: it doesn't matter if you are using a 10 Mb Half Duplex or a gigabit ethernet, if you are scanning only a few hosts around your network... it's like your CPU: if you're not using all of it, upgrading won't do the trick.

Personally I did never have to fill up a 100 Mb ethernet using whatsoever scanner, in particular I wouldn't, because it would impact on network performance... If you are running on a gigabit LAN segment, would you run a scan that takes up, say, 300 Mbps? Ethernet theory tells you are using most of your USEFUL bandwidth for scanning... sounds you're making a DOS attack to the LAN you are probing!

In addition, most default parameters of scanners are optimized to scan over the Internet, thus having timeouts and retries a little bit too large for optimal LAN scanning. I remind this tool being named Internet Scanner...

Just my personal point of view, anyway. Completely general. I don't even remember how to configure ISS tool in particular, so I went into "universal mode"...

Hope this could help

Mario

-----Original Message-----
From: Evans, Mark (Contractor) [mailto:EvansM@xxxxxxxxxxxxxxxx]
Sent: martedì 3 dicembre 2002 18.16
To: Sacchi Mario; Wisniewski, Michael; issforum@xxxxxxx
Subject: RE: [ISSForum] Optimizing Internet Scanner

Sacchi's comments are valid, but I'd debate some of them. Trying to pump data onto a gigbit network is hard for slower CPU's. Sort of like having a Ferrari engine with a 2-barrell on it. It is true that waiting for responses doesn't require CPU usage, but think about it. If you increase the Scan threads (Threads are a CPU Function) and you are trying to pump out a high scan connection count onto a Gigabit pipe, the bottleneck with most likely be getting info from the systems being scanned. Decreasing timeouts and retries would speed things up but at what cost? Especially with switches, ICMPs can get lost and you have a high rate of hosts not responding. If this was an old 10mbit half-dulplx lan, I'd agree the bottleneck is the lan, but it doesn't seem to be that slow of a network. It is definetly a combination of a lot of things. Experimentation is the key.

Debate is good!!

regards!

Mark

-----Original Message-----
From: Sacchi Mario [mailto:Mario.Sacchi@xxxxxxxxxxxx]
Sent: Monday, December 02, 2002 4:01 PM
To: Wisniewski, Michael; issforum@xxxxxxx
Subject: RE: [ISSForum] Optimizing Internet Scanner

[Sacchi Mario] CPU power is always almost non-relevant to such an application as Internet Scanner is. You can try monitoring CPU usage of your two machines running a scan, and you will surely notice that the processor is idle all the time.

Speeding up a scan depends greatly on the network you are scanning. If you are scanning your LAN (the one you are directly connected to, for instance), you could try shortening timeouts and reducing retry counts where possible. You don't need a muscular PC to wait for an ICMP probe to time out if there was no host at that address...

If you are scanning over a narrow channel, maybe the bottleneck is bandwidth? (unlikely unless you're using a slow modem, but doesn't seem to be your case since you're talking of gigabit ethernet).

Try configuring the scanner to probe more addresses in parallel, this should be the trick - twice the machines, half the time.

HTH

Mario

-----Original Message-----
From: Wisniewski, Michael [mailto:wiz@xxxxxxx]
Sent: lunedì 2 dicembre 2002 15.37
To: 'issforum@xxxxxxx'
Subject: [ISSForum] Optimizing Internet Scanner

Hi! I was wondering if anybody had any tips or tricks to make Internet Scanner run faster. I'm very confused and wished that it would speed things up. We've upgraded our scanning systems to a P4, 1.8 GHz, 256 meg ram, and gigabit fiber nic, and the scans still run at the same pace as our 500 MHz, 256 meg ram, and 100mbps nic. If anybody has any ideas or tips to optimize the scans, that would be great! Thanks!

---------------------------------------------------------------

Michael Wisniewski

Cyber Security Analyst

- Sans GIAC Security Essentials Certified -

- Internet Security Systems Certified -

Argonne National Laboratory

Office of the Chief Information Officer

630-252-7560 (Work)

630-514-2874 (Mobile)

Prev by Date: RE: [ISSForum] Network Vulnerability Scanning - consensus
Next by Date: RE: [ISSForum] Some doubts about Server Sensor...
Previous by thread: RE: [ISSForum] Optimizing Internet Scanner
Next by thread: [ISSForum] Empty reports when using ISS RealSecure 6.0
Index(es):
- Date
- Thread