Operator On The Wire
← Back to Knowledge Base
BLUE TEAM / SOC / FILTERING / ATTACKS / TRANSPORT LAYER / SCANNING

Decoy Scanning


Hunting

Statistics → Conversations → IPv4
Statistics → Endpoints → IPv4
Statistics → Protocol Hierarchy
Statistics → IO Graph


Goal

  • Confuse attribution
  • Pollute logs
  • Appear distributed

Red flags

  • Multiple source IPs targeting same host
  • Identical TTL values across “different” IPs
  • Identical TCP window sizes
  • Same TCP options
  • Same port timing pattern

Defense

  1. Have our IDS/IPS/Firewall act as the destination host would - In the sense that reconstructing the packets gives a clear indication of malicious activity.
  2. Watch for connections started by one host, and taken over by another - The attacker after all has to reveal their true source address in order to see that a port is open. This is strange behavior and we can define our rules to prevent it.

Filters

# Many sources → one destination
tcp.flags.syn == 1 && tcp.flags.ack == 0

# Check identical TCP fingerprints
tcp.flags.syn == 1