Nmap Decoy Scans – The Hamburger

Comments Off on Nmap Decoy Scans – The Hamburger
Network Security Software

TLP: Public
Nmap Decoy Scans – The Hamburger

Hackers are using the nmap -D option then using IP addresses from Akamai Technologies, Inc. Amazon Cloud services, Shadowserver.org, and others to attempt to cloak their identities.

What is the D option?

It is called a decoy scan. With -D option in the nmap system it appears to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus, their IDS might report 5-1000s of port scans from unique IP addresses, but they will not know which IP was scanning them and which were innocent decoys. While this can be defeated through router path tracing, response-dropping, and other active mechanisms, it is generally an effective technique for hiding your IP address.

Unfortunately for hackers this type of scan it is easily defeated, and it is illegal behavior. My favorite scan we get is what I call the Hamburger.

Hamburger

Most Decoy Scans start like an array list it starts at the top and then it ends at the bottom.

The hamburger scan’s top is the top bun which is the real attackers IP address followed by an assortment of items like the cheese, lettuce, tomato, onions, beef patties, and other tasty items which are all bogus IP addresses (Akamai Technologies, Inc., Amazon Cloud services, Shadowserver.org) followed by the bottom bun which is the real attacker’s IP address.

We have identified other interesting scans, and we have names for each them based on our forensics. We have seen hidden messages in Binary and in Morris Code from these decoy scans too. Another favorite we see a lot we call it the Pizza. There are many interesting toppings on each unique pizza decoy scans.

Nmap is a good utility tool in the right hands but it is another tool that bad guys use to go after you. Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest.

Rest assured these hackers are being watched and studied.

Hint: Keep an eye on the Source Port to the Destination Port in the packet header.

Contact us today toll free 1-888-392-9623 to find out more on how Adept Technologies can save you money by utilizing our services and technology.

Adept Media

Adept Technologies Inc.

Related Articles

Lake Inspections
Adept Land and Shoreline Permit Management Software
The Adept Enterprise Land and Shoreline Permit Management software system is a feature-rich solution designed…
Read More
Washinton Modernize
Modernize and Streamline Washington State Housing with SB 5290
Modernize and Streamline Washington State Housing with SB 5290 In a landmark decision for housing…
Read More
Adept Enterprise
Adept Enterprise® 20XX
Adept Enterprise® 20XX is the enterprise edge of the cloud, and/or cloud software platform that…
Read More