nmap has a decoy option that can be used to give different ip addresses as source ip.
I was wondering how this works, as what i know packets are routed based on their source and destination ip address so when we send a packet with a different ip as source how does the answer gets back to us ?
Is this option works on a single broadcast domain or can it be used across the internet too?
Any link to a document or website about how this works will be great, thanks
I was also looking for the answer to this question. I thought of leaving what I found with a quick search.
how does the answer gets back to us ?
We are not interested in getting all the SYN,ACK replies back to us. We only need that one reply that comes back to the attacker's IP to figure out that the port is open. The primary purpose of the decoy is to confuse the IDS on the target site. If there are 10 different clients sending TCP SYN to the server, it wouldn't be easy to find who is the attacker, and who are the innocent clients.
Yes, the responses will be going back to the decoy addresses. That is why the following article says to make sure the decoy addresses are also alive because if they are not, the pattern of handshake will be different for the attacker and the dead decoy addresses, which the victim may be able to figure out and pinpoint the attacker's IP.
https://nmap.org/book/man-bypass-firewalls-ids.html
Is this option works on a single broadcast domain or can it be used
across the internet too?
I don't see any reason why it should be from the same subnet. It can be any IP address(es)
For example, if I visit https://www.google.com, how do I get it to show on Wireshark? I've tried filtering by HTTP, but when I visit the website I don't see anything on Wireshark.
I'm really inexperienced at Wireshark and these kinds of things in general, and I would appreciate it if you could help!
You said you were filtering via HTTP which is port 80 TCP, but the address you are visiting is HTTPS which is port 443 TCP.
I was having a doubt on how browser gets the data from website. I read these two links:
how can an application use port 80/HTTP without conflicting with browsers?
and
Port 80 blocked on my ISP so how my browser still works?
With this I understand that browser opens a local random source port and connect to port 80 of website. Now our system firewall have opened all outbound connection and blocked all incoming connection as default configuration. So how does it get back the response. Similarly how response comes back when our home routers and ISP have ports blocked.
So now, I am assuming that connection is somewhat different from response. And there must be some sort of header/information that is sent along which helps in recognizing it as response? And this helps in bypassing the ports?
My humble apologies in case I am messing up all terminologies and thanks for patience. I am beginner in this stuff. Any link towards guide will be very useful.
So how does it get back the response
Assuming you're talking about a firewall or NAT, these devices track outgoing connections, and allow replies to pass through. Connections are typically identified using Source IP + Destination IP + Source Port + Destination Port + Protocol (TCP/UDP). These connection identifiers are stored in a table in the NAT/Firewall.
This is probably a dumb question but does www.google-analytics.com have a fixed IP? I ask because due to the vagaries of the project I'm on we need to make sure that traffic aimed at www.google-analytics.com (i.e. traffic from our website) does not get blocked at a certain point in the network. We can ensure it is not blocked with a rule, but the rule demands both a URL and IP address.
So do you know, is the IP address for Google Analytics fixed?
Cheers!
Dave
I've noticed recently that I don't have to forward ports for mmorpg's that I play.
I'm thinking about working on a game that people can play online and had a question.
Why is this the case given its a two way socket connection that is constantly sending data back and forth? Doesn't their server need to get through my firewall in order to connect to me?
TCP crash lesson: TCP is a two-way protocol. The challenge is that at least one host needs to initiate. Since within an MMORPG, your own computer is never acting as a server, nobody has to connect to it. All the information about game state is passed through the company's public facing servers that have public facing IP addresses (and hey, maybe they actually use port forwarding there, just to confuse my explanation... but you never have to see their pretty network internals, proxies, and other wizardry.).
Anyway, when you connect to Stackoverflow, you're making one outbound connection that requests data from the server, and then over that same connection you're receiving it back. Same exact scenario, only with a webserver instead of a game.
UPnP allows you to tackle many routers. There's also NAT Punch-Through if you have access to a third party that isn't behind a router.
Either way, port forwarding is only necessary if you wish to act as a server (or the sender in a P2P relationship). A client does not need to forward ports.
You don't need to forward ports to access the web either, despite data coming in as well.
When you make an outgoing TCP connection, your NAT router puts the connection in a table, so that when data comes in, it knows what machine in your LAN to send the packet to.
Everyone mentions TCP, but NAT works for UDP as well: The first outgoing UDP packet associates that source port with the internal IP address, and your NAT device will forward incoming traffic to that port to the correct host on the internal network.
In other words, if your computer requests the connection (outbound) first, the router opens up the port automatically, on the assumption that you're going to want data back. But if you want remote users to connect to your computer without your computer requesting it, the router would normally drop the packets since it wouldn't know where to send them (they were unsolicited). So instead, you need to tell the router to deliver any unsolicited packets at port N to your computer.
Sorry to add another answer so late, and I know one was already accepted, but I personally found the other answers to be more confusing than this simple explanation.