Re: decoys and limiting outbound RST packets

[Slarty <slarty () Vectrex org uk>]

On Saturday 01 January 2005 22:19, Michael Rash wrote:
> Proposed solution:
>     Provide an interface to use a local packet filter (if available)
> to restrict outbound RST packets to the target for the duration of
> any scan that causes unsolicited SYN/ACK packets to be sent to the
> scanning system.  

I wrote a scanner which already does this (RST blocking).

If you use decoys with nmap, the decoys have to be machines which are online 
themselves (hence will send a RST back), otherwise it will be obvious which 
is the "real" scanning host.

However, as nmap now has the "idle scan", decoys aren't really necessary for 
people who want to hide their IP address while scanning, as the "idle scan" 
does not send any non-spoofed packets to the target anyway.

Anyway, RST blocking is a useful feature on its own even without decoys and 
spoofing:

- Reduces network traffic during big scans
- Less likely to trigger IDS (if they have a rule which spots reset half-open 
connections)

Slarty

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org