Nmap decoy scans can make it look like a scan is originating from dozens or hundreds of fake IP addresses, but their actual effectiveness is almost nil against modern defenses.
Here’s a scan in progress using decoys:
nmap -D RND:100 192.168.1.0/24 -oN scan_with_decoys.txt
This command tells Nmap to send probes from the real IP address and 100 random, unresolvable IP addresses (the decoys). The idea is to flood the target’s network logs with traffic from non-existent sources, making it harder to identify the true scanner.
The problem Nmap decoys solve is attribution. In a world of increasingly sophisticated network monitoring, simply scanning from your own IP address can quickly lead to your source being identified, blocked, or even flagged as malicious. Decoys attempt to muddy the waters by distributing the scan’s origin across many IP addresses.
Internally, Nmap achieves this by constructing IP packets with source IP addresses that are not your own. When you specify -D RND:100, Nmap doesn’t actually send packets from 100 different machines. Instead, it crafts packets where the source IP address is randomly chosen from the private IP address range (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or other unroutable blocks. These packets are then sent out through your network interface. The destination host receives these packets and, if it’s configured to log incoming traffic, it will see traffic seemingly originating from these decoy IPs.
The primary lever you control with decoy scans is the number of decoys (RND:N) and the specific IPs you might want to use as decoys (-D 192.168.1.1,10.0.0.5,ME). ME is a special keyword that includes your actual IP address in the decoy list.
The most surprising thing about Nmap decoy scans is that they don’t actually send traffic from the decoy IPs. Nmap constructs the packets with fake source IPs, but these packets are sent from your machine. The target system sees packets appearing to come from those decoy IPs, but the actual network path is still traceable back to your originating IP if the target has sufficient visibility into its own network traffic.
The real limitation is that modern firewalls and intrusion detection systems (IDS) often operate at network perimeters and can see the actual source IP of any traffic attempting to reach the target network. While the target might log numerous connections from bogus IPs, the connection originating from your actual IP address will still be present and identifiable. Furthermore, many decoy IPs used in RND mode are from private or unroutable ranges, which any properly configured firewall would likely drop or log as malformed traffic, negating the intended obfuscation.
The next logical step after exploring source obfuscation is to consider timing and stealthier scan types like ACK scans or FIN scans.