Document some limitations of decoys in the source and in the reference

guide. They don't honor scan delay and may violate congestion control. Both this things should be fixed. I was going to do it by having get_next_target_probe just return the same probe multiple times, and then either extend struct probespec to include a source address or have sendIPScanProbe keep track of the decoy index and fill in source addresses. But I was stopped by timing pings. Those should certainly be decoyed, but in the code they are just sent as they are needed, and don't have a dispatching function to modify. What would be good is a global queue of probes waiting to be sent you could just insert all your spoofed probes into, and then let the rest of the code take care of scheduling them.
2025-12-15 20:29:03 +00:00 · 2008-05-02 20:38:27 +00:00
parent 9c96ad1340
commit 85c8ece184
2 changed files with 11 additions and 2 deletions
--- a/scan_engine.cc
+++ b/scan_engine.cc
@@ -2694,7 +2694,12 @@ static UltraProbe *sendArpScanProbe(UltraScanInfo *USI, HostScanStats *hss,
 }

 /* If this is NOT a ping probe, set pingseq to 0.  Otherwise it will be the
-   ping sequence number (they start at 1).  The probe sent is returned. */
+   ping sequence number (they start at 1).  The probe sent is returned.
+   
+   This function also handles the sending of decoys. There is no fine-grained
+   control of this; all decoys are sent at once on one call of this function.
+   This means that decoys do not honor any scan delay and may violate congestion
+   control limits. */
 static UltraProbe *sendIPScanProbe(UltraScanInfo *USI, HostScanStats *hss, 
 			    const probespec *pspec, u8 tryno, u8 pingseq) {
  u8 *packet = NULL;