Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Spoofed source IP in scans (decoys) - what to do?

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Tue, 30 Nov 1999 20:44:08 -0600 (CST)

On Mon, Nov 29, 1999 at 02:27:49PM -0600, R. DuFresne wrote:

| 
| parse yer logs for a duplicate ip from each of the scans, it I recall the
| 'spoofing' in namoap is really not that deep, it spoofs like every 10th
| address or so, so a common entry should be perhaps gleened if they are
| using the namap default 'spoofing' modes...
| 



First, sorry for the typo's, I was more exhausted then I knew.

Second, sorry to have gotten the information incorrect:

       -D <decoy1 [,decoy2][,ME],...>
              Causes a decoy scan to be performed which makes  it
              appear  to  the  remote  host  that the host(s) you
              specify as decoys are scanning the  target  network
              too.   Thus  their IDS might report 5-10 port scans
              from unique IP addresses, but they won't know which
              IP  was  scanning  them  and  which  were  innocent
              decoys.  While this can be defeated through  router
              path tracing, response-dropping, and other "active"
              mechanisms, it is generally an extremely  effective
              technique for hiding your IP address.


My memory recalled that 5-10 port scans part I guess.  It appears one
might well beable to build up an extensive list...

One question, has anyone that has played extensively with nmap noted
whether one can feed a file of decoy addresses?

Thanks,

Ron DuFresne




| Thanks,



| 
| Ron DuFresne
| 
| On Fri, 26 Nov 1999, Niloc wrote:
| 
| > Hi,
| > 
| > I have had quite a few scans occuring on a host lately and the scanning
| > method
| > includes the use of "decoys" (in nmap) or spoofed source IP addresses.
| > 
| > Of course my problem is that I don't want to blindly deny traffic from
| > all the source IP addresses that appear to be scanning me since I might
| > block legetimate traffic from them.
| > 
| > I am wondering what my alternatives are? What would be a good method
| > to find out which IP is really scanning me?
| > 
| > Thanks for your help.
| > 
| > Niloc.
| > 
| 
| -- 
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|         admin & senior consultant:  darkstar.sysinfo.com
|                   http://darkstar.sysinfo.com
| 
| "Cutting the space budget really restores my faith in humanity.  It
| eliminates dreams, goals, and ideals and lets us get straight to the
| business of hate, debauchery, and self-annihilation."
|                 -- Johnny Hart
| 
| testing, only testing, and damn good at it too!




-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!
Previous By Date Next
Previous By Thread Next

Current thread: