Re: Finding real host in Nmap -D Scans

Have to disagree with the "obsolete" statement. I ran an egress test from my cable connection and found no less than 40 different class C networks I could spoof packets from. While many of these networks were in the same class B subnet, they could still be used to effective obsfucate the real source of a port scan. Actually, using a related address makes tracing it back even harder, since even TTL tricks and router logs won't help you.

It does narrow down your source to specific provider/geographic area, but still doesn't provide you with a single address to report. An intelligent attacker would spoof a few dozen scans first from firewalled systems located at his own provider (ie. broadband routers that filter everything) and only perform the "real" scan with a decoy scan, using the scapegoat system as one of the sources. Then again, anyone who wants to expend this level of effort could just use the IP ID trick and you would never see a single packet from thier real address.

-HD

On Monday 03 March 2003 11:26 pm, Kevin Hodle wrote:
> With most broadband providers, this is an obsolete method of port
> scanning. Broadband companies like comca$t have very strict egress
> filters, and also 'ip verify reverse-path' on a cisco PIX (stateful)
> will eliminate the possibility of decoy scans being run against
> machines behind the PIX. Edge routers can also be configured in a
> similar fashion to accommodate external/DMZ machines like IDS's (witch
> should be running a stealth interface anyway.)
>
>
> Kevin Hodle
> CCNA, Network+, A+
> Alexander Open Systems
> Network Operations Center
> kevinh@aos5.com
>
>
> -----Original Message-----

Are your vulnerability scans producing just another report? Manage the entire remediation process with StillSecure VAM's Vulnerability Repair Workflow.
Download a free 15-day trial:
http://www2.stillsecure.com/download/sf_vuln_list.html Received on Tue Mar 4 11:51:32 2003