Decoy scan works by sending more than one packet per port. All of these packets
carry spoofed source IPs except one packet, which carries the original scanner IP address.
By doing so, the attacker guarantees at least one reply packet which is the reply to the
scan packet carrying the correct IP address. All other replies will not reach the scanning
machine. This scan type is done using the (-D) switch of nmap tool as follows:
# nmap –sS –P0 –D217.89.54.23,64.56.23.21,98.76.54.32 –p1-1024 10.10.10.10
Decoy port scan is done to make detection of the original scanner harder. The administrator of the scanned target cannot tell exactly which one of the used IPs is the
real scanner’s IP. However, if all IPs were investigated, investigation could lead to the
original scanning IP.
Advantages of Decoy scan are:
• Results are guaranteed. Since reply packets arrive at the scanning machine, the attacker can have true results of port status.
• Freedom of spoofing. Each spoofed IP used in the decoy is not bounded by any set of IPs Disadvantages of Decoy scan are:
• Detection is not impossible though it is hard. Since all used IPs are logged in a way or another on the target system, heavy investigation could lead to the original attacker.
• Lots of traffic. Since for each scanned port there are many packets, this will increase the traffic flow.
Disadvantages of Decoy scan are:
• Detection is not impossible though it is hard. Since all used IPs are logged in a way or another on the target system, heavy investigation could lead to the original attacker.
• Lots of traffic. Since for each scanned port there are many packets, this will increase the traffic flow.
