nmap has a decoy option that can be used to give different ip addresses as source ip.
I was wondering how this works, as what i know packets are routed based on their source and destination ip address so when we send a packet with a different ip as source how does the answer gets back to us ?
Is this option works on a single broadcast domain or can it be used across the internet too? Any link to a document or website about how this works will be great, thanks
I was also looking for the answer to this question. I thought of leaving what I found with a quick search.
how does the answer gets back to us ?
We are not interested in getting all the SYN,ACK replies back to us. We only need that one reply that comes back to the attacker's IP to figure out that the port is open. The primary purpose of the decoy is to confuse the IDS on the target site. If there are 10 different clients sending TCP SYN to the server, it wouldn't be easy to find who is the attacker, and who are the innocent clients.
Yes, the responses will be going back to the decoy addresses. That is why the following article says to make sure the decoy addresses are also alive because if they are not, the pattern of handshake will be different for the attacker and the dead decoy addresses, which the victim may be able to figure out and pinpoint the attacker's IP. https://nmap.org/book/man-bypass-firewalls-ids.html
Is this option works on a single broadcast domain or can it be used across the internet too?
I don't see any reason why it should be from the same subnet. It can be any IP address(es)