Re: NMAP guide

[Lamont Granquist <lamontg () raven genome washington edu>]

On Tue, 6 Apr 1999, Fyodor wrote:
> The page also argues that nmap decoy scans are detectable when used
> with -sS because nmap doesn't spoof RST packets from the decoys in
> response to the SYN|ACK packets received from open ports of the target
> host.  People are urged to check out the page and see if they can spot
> the problem with the paper on their own.  If you are having trouble,
> here is a hint: He broke one of the cardinal rules of decoy scanning.
> If you still aren't sure, carefully reread the -D section of the nmap
> man page:

Actually he changed the page to address this fact.

It does bring up another issue, though, since I suggested in that write up
that people spoof their IP to be a machine which isn't up.  My guess is
that you can get away with this for pinging and portscanning, but that
you'll wind up SYN flooding the target on an -O scan.  I suppose I should
actually play around with spoofing -- I didn't before I wrote that because
spoofing is busted on IRIX and I was getting tired of writing and just
wanted to send it off.

-- 
Lamont Granquist                       lamontg () genome washington edu
Dept. of Molecular Biotechnology       (206)616-5735  fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka