Re: decoys and limiting outbound RST packets

[Michael Rash <mbr () cipherdyne org>]

On Jan 02, 2005, Martin Ma?ok wrote:

> On Sat, Jan 01, 2005 at 05:19:30PM -0500, Michael Rash wrote:
>
> > Proposed solution:
> >     Provide an interface to use a local packet filter (if available)
> > to restrict outbound RST packets to the target for the duration of
> > any scan that causes unsolicited SYN/ACK packets to be sent to the
> > scanning system.
>
> In this case, the target could send SYN+ACK probe to every
> non-responding IP after the scan. If there is an IP that responds then
> it is the IP of the scanner.

That's true, but does this mean the RST blocking feature is not
useful?  How many people are actually going to do this vs. just
watch RST packets coming back (or lack thereof)?  The main
advantage in having this feature integrated directly with Nmap
is that the target must be less confident about how the scanner's
IP appears to behave.  If a patch happens to appear that
implements this, is there any reason that it shouldn't be
accepted?

--Mike

Michael Rash
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org