This is the simplest among all other technique. All the attacker needs to do is to spoof
the source IP of the scanning machine to any other IP without worrying about anything else. That spoofed IP is used for all scan packets. Also, that spoofed IP can by any valid
IP address and does not have to be within the subnet IP range of the scanning machine.
This normal spoofing could be done with the (-S) switch of nmap tool:
# nmap –sS –S 217.64.121.34 –P0 –p 1-1024 64.23.16.21
However, this technique suffers from a major drawback. That is, there will be no results since all replies will be forwarded to the spoofed IP. The scanning machine will never receive any of those replies. One reason an attacker might attempt such type of spoofing is to fool the scanned target into thinking that somebody else – probably a competitor – is scanning them. The attacker here is not concerned about the replies or about the port status of the target.
Advantages of this spoofing technique are:
• Freedom of spoofing. The attacker is not bounded by a specific range of IPs.
• No wasted or unneeded initiated packets. The attacker sends one TCP/UDP
packet per port.
• No tracing of the original scanner. Detection of the scanning machine is impossible at the IP layer.
Disadvantages of this technique are:
• No replies. There will be no reply packets arriving at the scanning machine.
• No results. Since replies are not received, the attacker won’t know port status.
