RE: decoys and limiting outbound RST packets

[robert () dyadsecurity com]

Greetings Nmap-dev team,

As an fyi, the unicornscan people have run into this issue of RST's coming from the kernel in response to connections 
it didn't initiate.  For normal syn-scanning this doesn't bother you much, but it really gets annoying when you're 
actually trying to complete the 3-way handshake (we statelessly keep track of state all via raw sockets).

Anyhow .. our solution for this was the brainchild of Kiki (ghost () rapturesecurity org - inspired by one of the Fanta 
commercials.. don't ask) was to have another program respond to arp requests on a particular interface without having 
to bother the kernel with the new IP assignment.  This tool is called fantaip and comes with the current public release 
of unicornscan (unicornscan.org).

The reason this may be interesting to the nmap folks is that it also works with nmap's -S option.

Example:
fantaip eth0 192.168.1.1
nmap -S 192.168.1.1 www.google.com -p80

etc etc etc

Anyhow, if you have any questions, please feel free to contact us.

Robert

-- 
Robert E. Lee
CTO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert () dyadsecurity com
M - (949) 394-2033

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org