NMAP(1) NMAP(1)
-D <decoy1 [,decoy2][,ME],...>
Causes a decoy scan to be performed which makes it
appear to the remote host that the host(s) you
specify as decoys are scanning the target network
too. Thus their IDS might report 5-10 port scans
from unique IP addresses, but they won't know which
IP was scanning them and which were innocent
decoys. While this can be defeated through router
path tracing, response-dropping, and other "active"
mechanisms, it is generally an extremely effective
technique for hiding your IP address.
Separate each decoy host with commas, and you can
optionally use 'ME' as one of the decoys to repre-
sent the position you want your IP address to be
used. If your put 'ME' in the 6th position or
later, some common port scan detectors (such as
Solar Designer's excellent scanlogd) are unlikeley
to show your IP address at all. If you don't use
'ME', nmap will put you in a random position.
Note that the hosts you use as decoys should be up
or you might accidently SYN flood your targets.
Also it will be pretty easy to determine which host
is scanning if only one is actually up on the net-
work. You might want to use IP addresses instead
of names (so the decoy networks don't see you in
their nameserver logs).
Also note that some (stupid) "port scan detectors"
will firewall/deny routing to hosts that attempt
port scans. Thus you might inadvertantly cause the
machine you scan to lose connectivity with the
decoy machines you are using. This could cause the
target machines major problems if the decoy is,
say, its internet gateway or even "localhost".
Thus you might want to be careful of this option.
The real moral of the story is that detectors of
spoofable port scans should not take action against
the machine that seems like it is port scanning
them. It could just be a decoy!
Decoys are used both in the initial ping scan
(using ICMP, SYN, ACK, or whatever) and during the
actual port scanning phase. Decoys are also used
during remote OS detection ( -O ).
It is worth noting that using too many decoys may
slow your scan and potentially even make it less
accurate. Also, some ISPs will filter out your
spoofed packets, although many (currently most) do
not restrict spoofed IP packets at all.