Re: Finding real host in Nmap -D Scans

[Fyodor <fyodor () insecure org>]

On Mon, Mar 03, 2003 at 11:26:38PM -0600, Kevin Hodle wrote:
> With most broadband providers, this is an obsolete method of port
> scanning.  Broadband companies like comca$t have very strict egress
> filters,

Obsolete?  Hardly.  While many broadband and dialup providers have
finally implemented some form of egress filtering, most aren't what I
would consider "very strict".  Usually attackers can at least spoof any IP
on the same class C.  My ATT cable modem can spoof a range of
literally thousands of IPs.  And that is all that matters for many
users who are simply trying to camoflauge their exact IP.

Sure, many cable modem/DSL/dialup users can't spoof entirely arbitrary
IP addresses directly, but they often can do that from the first
corporate/university/Korean box that they own.  And those boxes likely
have superior bandwidth for scanning anyway.

Of course, I don't advocate compromising systems or even using decoys
to hide scanning activity.  I proudly perform virtually all of my Nmap
scanning from my own networks, and rarely receive complaints.  This is
because I try to keep the scans unintrusive and targetted (not
millions of machines).  I also get consent first where practical.

And for those who insist on spoofed scans, at least consider the new
Nmap Idlescan technique described at
http://www.insecure.org/nmap/idlescan.html .  It is much sexier than
decoys, and also more stealthy.  Of course it is slower than decoys,
but you can't have everything!

Cheers,
Fyodor
http://www.insecure.org/


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).