Distributed Computing for Tracking Net Problems?

Osrin asks: "A software firewall package that came with a recent computer purchase is using a site called MyNetWatchman to track, catalog and escalate firewall incidents back to ISPs. I was wondering what Slashdot readers think of this type of solution and which other Internet problems it would lend itself to helping resolve?"

Spoofed addresses

When blocking a TCP connection most firewalls will just drop the SYN packet and log it. Since the 3-way handshake has not been completed, it is impossible to verify the source address and silly to notify the "sending" ISP. If you actually ran a service on that port which accepted, logged, and closed the connection, then it would be OK (but there's no trick like this to detect spoofed UDP packets).

nmap has an option ("-S") to spoof the source address. Here's the documentation from the man page:

Another possible use of this flag is to spoof the scan to make the targets think that someone else is scanning them. Imagine a company being repeatedly port scanned by a competitor! This is not a supported usage (or the main purpose) of this flag. I just think it raises an interesting possibility that people should be aware of before they go accusing others of port scanning them. -e would generally be required for this sort of usage.

You could also combine this with the -D (decoy) option, which accepts a list of addresses to spoof. More text from the same man page:

The real moral of the story is that detectors of spoofable port scans should not take action against the machine that seems like it is port scanning them. It could just be a decoy!