Nmap has an option to "hide" your real IP among either a provides or IP
list of IP addresses.
" D *<**decoy1**>*[,*<**decoy2**>*][,ME][,...] (Cloak a scan with decoys)
Causes a decoy scan to be performed, which makes it appear to the remote
host that the host(s) you specify as decoys are scanning the target network
too. Thus their IDS might report 5–10 port scans from unique IP addresses,
but they won't know which IP was scanning them and which were innocent
decoys. While this can be defeated through router path tracing,
response-dropping, and other active mechanisms, it is generally an
effective technique for hiding your IP address."
http://nmap.org/book/man-bypass-firewalls-ids.html
We recently got an abuse report of an IP address in our net range.
However, that IP address isn't in use in our networks and the covering
network is null routed, so no return traffic is possible. We have external
BGP monitoring, so unless something very tricky is going on, we don't have
part of our prefix hijacked.
I assume the source address was spoofed, but this leads to my question.
Since the person that submitted the report didn't mention a high packet
rate (it was on ssh port 22), it doesn't look like some sort of SYN attack,
but any OS fingerprinting or doorknob twisting wouldn't be useful from the
attacker if the traffic doesn't return to them, so what gives?
BTW, we are in the ARIN region, the report came out of the RIPE region.
Either the reporter doesn't know what they're talking about (common enough)
or someone is scanning for open ssh ports, hiding their real IP address by
burying it in a host of faked source addresses. That's a standard option on
some of the stealthier port scanners, IIRC.
Cheers,
Steve