Firewall Wizards mailing list archives
Re: Spoofed source IP in scans (decoys) - what to do?
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Tue, 30 Nov 1999 20:44:08 -0600 (CST)
On Mon, Nov 29, 1999 at 02:27:49PM -0600, R. DuFresne wrote:
| | parse yer logs for a duplicate ip from each of the scans, it I recall the | 'spoofing' in namoap is really not that deep, it spoofs like every 10th | address or so, so a common entry should be perhaps gleened if they are | using the namap default 'spoofing' modes... |
First, sorry for the typo's, I was more exhausted then I knew. Second, sorry to have gotten the information incorrect: -D <decoy1 [,decoy2][,ME],...> Causes a decoy scan to be performed which makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won't know which IP was scanning them and which were innocent decoys. While this can be defeated through router path tracing, response-dropping, and other "active" mechanisms, it is generally an extremely effective technique for hiding your IP address. My memory recalled that 5-10 port scans part I guess. It appears one might well beable to build up an extensive list... One question, has anyone that has played extensively with nmap noted whether one can feed a file of decoy addresses? Thanks, Ron DuFresne
| Thanks,
| | Ron DuFresne | | On Fri, 26 Nov 1999, Niloc wrote: | | > Hi, | > | > I have had quite a few scans occuring on a host lately and the scanning | > method | > includes the use of "decoys" (in nmap) or spoofed source IP addresses. | > | > Of course my problem is that I don't want to blindly deny traffic from | > all the source IP addresses that appear to be scanning me since I might | > block legetimate traffic from them. | > | > I am wondering what my alternatives are? What would be a good method | > to find out which IP is really scanning me? | > | > Thanks for your help. | > | > Niloc. | > | | -- | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | admin & senior consultant: darkstar.sysinfo.com | http://darkstar.sysinfo.com | | "Cutting the space budget really restores my faith in humanity. It | eliminates dreams, goals, and ideals and lets us get straight to the | business of hate, debauchery, and self-annihilation." | -- Johnny Hart | | testing, only testing, and damn good at it too!
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too!
Current thread:
- Re: Spoofed source IP in scans (decoys) - what to do? R. DuFresne (Dec 01)