diff --git a/docs/refguide.xml b/docs/refguide.xml
index 0ac9e4487..c4a83713f 100644
--- a/docs/refguide.xml
+++ b/docs/refguide.xml
@@ -2525,7 +2525,9 @@ lists the relevant options and describes what they do.
common port scan detectors (such as Solar Designer's
excellent scanlogd) are unlikely to show your IP address at
all. If you don't use ME, nmap will put
- you in a random position. Note that the hosts
+ you in a random position. You can also use RND to generate
+ a random, non-reserved IP address, or RND:<number> to
+ generate <number> addresses. Note that the hosts
you use as decoys should be up or you might accidentally SYN
flood your targets. Also it will be pretty easy to determine
which host is scanning if only one is actually up on the
diff --git a/nmap.cc b/nmap.cc
index 3161631ba..980796981 100644
--- a/nmap.cc
+++ b/nmap.cc
@@ -918,6 +918,25 @@ int nmap_main(int argc, char *argv[]) {
if (o.decoyturn != -1)
fatal("Can only use 'ME' as a decoy once.\n");
o.decoyturn = o.numdecoys++;
+ } else if (!strcasecmp(p, "rnd") || !strncasecmp(p, "rnd:", 4)) {
+ int i = 1;
+
+ /* 'rnd:' is allowed and just gives them one */
+ if (strlen(p) > 4)
+ i = atoi(&p[4]);
+
+ if (i < 1)
+ fatal("Bad 'rnd' decoy \"%s\"", p);
+
+ if (o.numdecoys + i >= MAX_DECOYS - 1)
+ fatal("You are only allowed %d decoys (if you need more redefine MAX_DECOYS in nmap.h)", MAX_DECOYS);
+
+ while (i--) {
+ do {
+ o.decoys[o.numdecoys].s_addr = get_random_u32();
+ } while (ip_is_reserved(&o.decoys[o.numdecoys]));
+ o.numdecoys++;
+ }
} else {
if (o.numdecoys >= MAX_DECOYS -1)
fatal("You are only allowed %d decoys (if you need more redefine MAX_DECOYS in nmap.h)", MAX_DECOYS);