Create Decoys (-D <decoy1 [,decoy2][,ME],...>)
The –D option allows nmap to create packets that appear to originate from other IP addresses. This IP address spoofing allows nmap to simulate many different devices when performing certain scans.
Decoys are useful for testing intrusion detection systems (IDS) or intrusion prevention systems (IPS) and their reaction to multiple simultaneous scans. Some IDS/IPS systems capabilities may be limited, and the decoy scan can assist in determining the maximum amount of visibility expected from these systems under different attack configurations.
Decoys won't work with the RPC scan (-sR), Idlescan (-sI), TCP connect() scan (-sT), or the FTP bounce scan (-b). The decoys will appear during the nmap ping process, many of the other nmap scans, and during an operating system scan (-O).
One of the –D options is to use ME as a decoy name. This identifies the nmap station as one of the devices to use during the scan, and the frames will be sent in the order in which the decoys are added to the nmap command line. If ME is placed near the end of the list, there's a better chance of the nmap station circumventing IDS or IPS alarms.
This feature is best used when the destination device is not on the same IP subnet as the nmap station. Although the IP addresses are spoofed, the MAC address of the nmap station will not be spoofed. Close examination of a network trace file on the nmap subnet will clearly show the real hardware address of the spoofed IP addresses.
The decoy option is a good example of how "active filtering" can become a detriment on a production network. If decoy stations are used to scan a device, an active firewall reconfiguration or active IPS blocking may prevent legitimate traffic from traversing the network. An overly aggressive active filtering profile can inadvertently create self-inflicted denial of service attacks! This nmap scan can assist network teams with testing and tuning of existing systems to help prevent these situations from occurring.