问题描述

当我扫描自己时，我经常会看到随机打开的端口:

When I scan myself I will often see random open ports:

nmap -sT -T normal -p 1-65535 localhost

例如

43194/tcp open  unknown
58167/tcp open  unknown

有时候什么也不是，有时候是这样的.

Sometimes nothing, sometimes a couple like that.

但是我看到这以前是误报，但是现在已经很老了:

I see however that this has been a false positive before, but it is now very old:

http://seclists.org/incidents/2002/Dec/136

尽管如此，还有一些其他用户也在最近报告此情况:

There is some other user also reporting this more recently though:

https://bbs.archlinux.org/viewtopic.php?id=168197

但是似乎没有多少人注意到它.我也感到奇怪的是，这仍然是内核的错误"/问题.这个问题真的存在了这么长时间吗?

But there doesn't seem to be that many who have noticed it. I also find it strange that this is still a "bug"/issue with the kernel. Has this problem really been the same for that long?

任何人都可以确认这是正常行为吗(测试必须执行几次才能得出结论，如果确实是内核/nmap问题，则可能因系统而异)?我已经在几台物理计算机上对此进行了测试，结果是相同的.包括一台最近安装了操作系统但从未运行过面向网络的服务的机器，因此似乎不太可能做出妥协.

Can anyone else confirm that this is normal behaviour (the test must be executed several times to be conclusive, probably varying from system to system if this is indeed a kernel/nmap issue)? I've tested this on several physical machines now, and the result is the same. Including one machine which had its OS recently installed and has never been running a network facing service so a compromise seems very unlikely.

我的ip_local_port_range是32768 61000

My ip_local_port_range is 32768 61000

测试的内核:3.16.3-smp，3.17.8-gentoo-r1

Kernels tested: 3.16.3-smp, 3.17.8-gentoo-r1

Nmap版本:6.4、6.47

Nmap versions: 6.4, 6.47

如果我从同一台物理计算机上扫描我的IP，也会发生这种情况.如果我从另一台计算机上扫描计算机，即使是-T疯狂，我也永远不会看到这些端口打开.

This also happens if I scan my IP, but from the same physical machine. If I scan the machine from a different machine, even with -T insane, I never see these ports open.

推荐答案

是的，这是Linux的已知问题:在封闭的临时端口(. Nmap受此bug的影响最大，因为Nmap一次连接到这么多不同的端口，以至于在localhost -sT(TCP连接)扫描中至少发生一次的几率几乎是肯定的.

Yes, this is a known issue with Linux: a connection to localhost on a closed ephemeral port has a small chance (usually about 1 in 28000) of connecting to itself with a 4-way or "split" handshake. Nmap suffers the most from this bug, since it connects to so many different ports at once that the chances amount to a near-certainty of happening at least once in a localhost -sT (TCP Connect) scan.

Nmap具有此错误的悠久历史.在1999年，费奥多(Fyodor)向LKML报告了它，但它被认为是RFC中的最高级情况，而不是Linux内核中的错误.解决方法是在2000年实施的，但它已于2013年2月删除，因为清理工作的一部分，因为它具有竞争条件.下一个版本是Nmap 6.40，您说它显示了无效的结果.

Nmap has a long history with this bug. In 1999, Fyodor reported it to the LKML, but it was deemed to be an edge case in the RFC, and not a bug in the Linux kernel. A workaround was put in place in 2000, but it was removed in February 2013 as part of a cleanup effort, since it had a race condition. The next release was Nmap 6.40, which you say shows the invalid results.

去年夏天，我进行了更改进行检查并重新测试这些虚假的结果.下一版本的Nmap不会有相同的问题.

Last summer, I introduced a change to check for and re-test these spurious results. The next release of Nmap will not have the same problem.

该漏洞影响了6.40-6.47版本.它已在6.49BETA1(2015-06-03)中修复.

The bug affected versions 6.40 - 6.47. It was fixed in 6.49BETA1 (2015-06-03).

这篇关于nmap会在本地主机上显示随机打开的端口一秒钟的时间的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！