From: gary at domain netsoc.tcd.ie
Date: Wed 19 Jul 2000 - 18:32:53 IST
On Wed, Jul 19, 2000 at 11:17:47AM +0100, Paul FW wrote:
> hello, a few days ago i was portscanned and portsentry
> loyally blocked it, but then after that i recieved
> scans from other systems on my lan to one portsetry
> machine, how did the person scanning make it look like
> they came from my machines ?, they were openbsd, nt
> and solaris incase that matters
I read this on the nmap man page the other day - so looks like this kind
of action is just a flag away!
And I once had portsentry blocking machines too... not any more I think!
-D <decoy1 [,decoy2][,ME],...>
Causes a decoy scan to be performed which makes it
appear to the remote host that the host(s) you
specify as decoys are scanning the target network
too. Thus their IDS might report 5-10 port scans
from unique IP addresses, but they won't know which
IP was scanning them and which were innocent
decoys.
...
Also note that some (stupid) "port scan detectors"
will firewall/deny routing to hosts that attempt
port scans. Thus you might inadvertantly cause the
machine you scan to lose connectivity with the
decoy machines you are using. This could cause the
target machines major problems if the decoy is,
say, its internet gateway or even "localhost".
Thus you might want to be careful of this option.
The real moral of the story is that detectors of
spoofable port scans should not take action against
the machine that seems like it is port scanning
them. It could just be a decoy!
--
Gary Coady..http://www.netsoc.tcd.ie/~gary/
... lend your voices only to sounds of freedom. No longer lend your
strength to that which you wish to be free from. --- Jewel
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:06:55 GMT