多目标同步扫描端口的速度限制?
[英]speed limit of syn scanning ports of multiple targets?
问题描述
I've coded a small raw packet syn port scanner to scan a list of ips and find out if they're online. 
我已经编写了一个小型的原始数据包同步端口扫描程序,以扫描ip列表并找出它们是否在线。 (btw. for Debian in python2.7) (顺便说一下python2.7中的Debian)
The basic intention was to simply check if some websites are reachable and speed up that process by preceding a raw syn request (port 80) but I stumbled upon something. 基本意图是简单地检查某些网站是否可访问,并通过发出原始syn请求(端口80)来加快该过程,但我偶然发现了一些东西。
Just for fun I started trying to find out how fast I could get with this (fastest as far as i know) check technique and it turns out that despite I'm only sending raw syn packets on one port and listening for responses on that same port (with tcpdump) the connection reliability quite drops starting at about 1500-2000 packets/sec and shortly thereafter almost the entire networking starts blocking on the box. 只是为了好玩,我开始尝试找出使用此检查技术(据我所知最快的)能达到多快,结果证明,尽管我只在一个端口上发送原始syn数据包,并在同一端口上侦听响应端口(带有tcpdump)的连接可靠性开始以1500-2000包/秒的速度下降,此后不久,几乎整个网络都开始在盒子上阻塞。
I thought about it and if I compare this value with eg torrent seeding/leeching packets/sec the scan speed is quiet slow. 我考虑了一下,如果将此值与torrent种子/水浸数据包/秒进行比较,则扫描速度非常缓慢。
I have a few ideas why this happens but I'm not a professional and I have no clue how to check if I'm right with my assumptions. 我有一些想法为什么会发生这种情况,但是我不是专业人士,也不知道如何检查自己的假设是否正确。
Firstly it could be that the Linux networking has some fancy internal port forwarding stuff running to keep the sending port opened (maybe some sort of feature of iptables?) because the script seems to be able to receive syn-ack even with closed sourceport. 首先,可能是Linux网络运行了一些精美的内部端口转发程序,以使发送端口保持打开状态(也许是iptables的某种功能?),因为该脚本即使在关闭源端口的情况下似乎也能够接收syn-ack。
If so, is it possible to prevent or bypass that in some fashion? 如果是这样,是否有可能以某种方式阻止或绕过它?
Another guess is that the python library is simply too dumb to do real proper raw packet management but that's unlikely because its using internal Linux functions to do that as far as I know. 另一个猜测是,python库太笨拙了,无法进行真正适当的原始数据包管理,但这不太可能,因为据我所知,它使用内部Linux函数来完成此工作。
- Does anyone have a clue why that network blocking is happening? 有谁知道为什么发生网络阻塞?
- Where's the difference to torrent connections or anything else like that? 洪流连接或类似的东西在哪里?
- Do I have to send the packets in another way or anything? 我是否必须以其他方式发送数据包?
1 个解决方案
解决方案1
0 已采纳 2015-03-22 14:17:03
Months ago I found out that this problem is well known as c10k problem. 几个月前,我发现此问题众所周知为c10k问题。
It has to do amongst other things with how the kernel allocates and processes tcp connections internally. 它必须与内核如何在内部分配和处理tcp连接有关。
The only efficient way to address the issue is to bypass the kernel tcp stack and implement various other low-level things by your own. 解决此问题的唯一有效方法是绕过内核tcp堆栈,并自行实现各种其他低级的东西。
All good approaches I know are working with low-level async implementations 我知道的所有好的方法都适用于低级异步实现
There are some good ways to deal with the problem depending on the scale. 根据规模,有一些好的方法可以解决问题。
For further information i would recommend to search for the c10k problem. 有关更多信息,我建议搜索c10k问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.