|
Nmap Development
mailing list archives
Re: decoys and limiting outbound RST packets
From: Slarty <slarty () Vectrex org uk>
Date: Sun, 2 Jan 2005 10:31:05 +0000
On Saturday 01 January 2005 22:19, Michael Rash wrote:
Proposed solution:
Provide an interface to use a local packet filter (if available)
to restrict outbound RST packets to the target for the duration of
any scan that causes unsolicited SYN/ACK packets to be sent to the
scanning system.
I wrote a scanner which already does this (RST blocking).
If you use decoys with nmap, the decoys have to be machines which are online
themselves (hence will send a RST back), otherwise it will be obvious which
is the "real" scanning host.
However, as nmap now has the "idle scan", decoys aren't really necessary for
people who want to hide their IP address while scanning, as the "idle scan"
does not send any non-spoofed packets to the target anyway.
Anyway, RST blocking is a useful feature on its own even without decoys and
spoofing:
- Reduces network traffic during big scans
- Less likely to trigger IDS (if they have a rule which spots reset half-open
connections)
Slarty
---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help () insecure org . List archive: http://seclists.org
 By Date 
By Thread
Current thread:
| 
Intro
