Good point... repeatedly hitting firewalled ports can show up even a fairly polite port scan easily... my point was, that with tools such as the idle scan, it becomes virtually impossible for a sysadmin to take any action against the originator's IP.

Of course if you have a honeypot and they own it, they will probably start using their own IP after a little while...

Anyone who has run IDS in the last three years will know that there are now so many windows worms around, there's practically no point in setting up IDS rules for port numbers that these worms are known to attack, there is just far too much traffic.

Of course finer-grained rules that don't detect the worms are always preferable.

Slarty