If the scanner (boreas or nmap) gets an ICMP unreachable back from an alive check, will it consider the host to be alive and list it for scanning or will it consider that the same as if it got no response at all?
I ask because I have the option to send unreachables or not from my firewall. If it will accept unreachables and not list the host IP as alive, then this could speed up the scan process a bit, but if it decides that unreachable means there is something there, then that will slow the scan down considerably.
It is never a good idea to scan trough a firewall, due to session table and other negative and slow-down effects. I would place a sensor on the other side of the firewall and just establish a TCP connection trough the firewall to the sensor to scan everything behind that firewall.
OK, I do understand the point you make but my question was not about firewalls, tell you what I will leave the question intact and remove the firewall bit, the question remains the same, whether it’s a router or a firewall.
If the scanner (boreas or nmap) gets an ICMP unreachable back from an alive check, will it consider the host to be alive and list it for scanning or will it consider that the same as if it got no response at all?
If your host-alive criteria is ICMP that host would not be scanned, if you configure “assume alive” any host will be scanned with a huge impact of the speed. So if you are not sure that this host is alive do not use “assume alive” that will slow down. Additional if your firewall rate limit the packets or blocks port-scans your scan-results might have lot of false negative.
Thanks, I have done a lot of work and testing around this and I do understand this is less than ideal, but there is still value in scanning our internet-facing presence as well as running detailed scans internally.
The best solution seems to be TCP-SYN service checks, but that still depends on the firewall attack mitigation mechanisms. They can send TCP-RST which would give a quick response but I am pretty sure the scanner would interpret that as a positive sign that a host is present. Another option is to silently drop disallowed requests but that has a sub-option to send unreachables. Clearly sending an unreachable will make the scan quicker than silently dropping but my concern is that the scanner might decide that because it received something that is an indication there is a host present.
The new boreas scanner seems to behave very differently to nmap so I wondered how each of them would behave if they received an ICMP unreachable in response to a TCP-SYN as opposed to no response and a timeout.
That is a different phase, ICMP is used to detect if the host is alive, boreas as nothing to do with a ICMP as result of a try to connect to a TCP or UDP port.
First the alive check, if the hosts seems to be alive, then a portscan and only open ports are used if you go with Full & Fast scan configuration.
Never mind, I think I have answered it myself. The answer seems to be yes: If the scanner receives an ICMP unreachable, it takes that to mean that there is a host alive on that IP, even if the unreachable comes from a router in an ISP network and nowhere near the host itself.