Re: Finding real host in Nmap -D Scans

On Mon, Mar 03, 2003 at 11:26:38PM -0600, Kevin Hodle wrote:
> With most broadband providers, this is an obsolete method of port

Obsolete? Hardly. While many broadband and dialup providers have finally implemented some form of egress filtering, most aren't what I would consider "very strict". Usually attackers can at least spoof any IP on the same class C. My ATT cable modem can spoof a range of literally thousands of IPs. And that is all that matters for many users who are simply trying to camoflauge their exact IP.

Sure, many cable modem/DSL/dialup users can't spoof entirely arbitrary IP addresses directly, but they often can do that from the first corporate/university/Korean box that they own. And those boxes likely have superior bandwidth for scanning anyway.

Of course, I don't advocate compromising systems or even using decoys to hide scanning activity. I proudly perform virtually all of my Nmap scanning from my own networks, and rarely receive complaints. This is because I try to keep the scans unintrusive and targetted (not millions of machines). I also get consent first where practical.

And for those who insist on spoofed scans, at least consider the new Nmap Idlescan technique described at
http://www.insecure.org/nmap/idlescan.html . It is much sexier than decoys, and also more stealthy. Of course it is slower than decoys, but you can't have everything!

Cheers,
Fyodor
http://www.insecure.org/

Are your vulnerability scans producing just another report? Manage the entire remediation process with StillSecure VAM's Vulnerability Repair Workflow.
Download a free 15-day trial:
http://www2.stillsecure.com/download/sf_vuln_list.html Received on Tue Mar 4 11:57:46 2003

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek