Dynamic Port Scanning is a new methodology that aims to dynamically spoof the source IP of the scanning machine. What is meant by “dynamic spoofing” is that each TCP or UDP scan packet has a randomly generated IP address. However, that IP address
must fall within the local subnet IP range of the scanning machine. The underlying implementation of such methodology is solely dependent on the integration of ARP
poisoning/spoofing into the scanning process.
ARP poisoning/spoofing has been in place since the creation of TCP/IP protocols. It has been known and used for network traffic sniffing and interception in switched
network. However, this paper will show how ARP poisoning/spoofing could be used in conjunction with port scanning to achieve the dynamic way of spoofing the source IP of the scanning machine.
In general, Dynamic Port Scanning [DPS] is implemented by ensuring that the ARP cache of the target host or even the default gateway is poisoned by fake IP/MAC entry which allows scan reply packets to carry the MAC address of the scanning machine. Although the reply packet is destined to a fake IP address (i.e. the spoofed IP), the
placement of scanner’s MAC address as destination MAC address in the reply packet enables that packet to arrive correctly at the scanning machine. The process of poisoning the remote ARP cache is done for each TCP/UDP scan packet that carries a spoofed IP
address.
This paper will discuss deeply the process of Dynamic Port Scanning [DPS]. First, the paper examines current methodologies used in spoofing the source IP while scanning. Then, it will describe the new methodology along with TCP scan types. Finally, a new open-source tool called Dynamic Port Scanner [DPS], which does exactly the technique described in this paper, is outlined.
