RE: Please Comment: General Host Input Option

["Cory K. Walker" <lists () walkertc com>]

The reason I would want to specify a list of decoys over random ones is
this.

Random decoys might not have the properties that an attacker would want.
Instead, the attacker may seek a higher-quality list of decoys that are
known to - for example - reply to a ping.  That way, if the defender
investigates the scan and all source addresses reply (or otherwise behave
uniformly) then it might be more difficult for the defender to ultimately
determine the true source of the attack.  Perhaps the attacker wants all of
his decoys to look like a bunch of Windows Server 2008 machines and
therefore confuse the defender into thinking a new virus or other robot
program is responsible for the scan.

I imagine the use case for this feature would be the following:

The attacker spends a substantial amount of time collecting a list of
desired decoys as a prerequisite to the scan.  After this list is compiled
then the scan is launched against the target using a more-convenient "-DL
decoys.txt" syntax instead of "-D IP_1,IP_2,...,IP_N".

-----Original Message-----
From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org]
On Behalf Of Ron
Sent: Sunday, January 25, 2009 9:01 PM
Cc: nmap-dev () insecure org
Subject: Re: Please Comment: General Host Input Option

Didn't Brandon post a reply? I seem to recall seeing one, but I might be
confused.

In any case, what advantage would there be to using known decoys instead of
random ones? I personally don't see any advantage, but I could easily be
missing something.

--
Ron Bowes
http://www.skullsecurity.org/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org