Idle Scan is an advanced TCP port scanning technique. In this method, an attacker uses a “zombie” computer (a machine in an idle state) to perform port scanning on target systems.
π― Basic Concepts
Idle Scan is based on three important facts:
TCP Port State Verification
- Open port β Responds with SYN/ACK packet
- Closed port β Responds with RST packet
Unsolicited Packet Response
- Unsolicited SYN/ACK β Responds with RST
- Unsolicited RST β Ignored
IP ID Characteristics
- Each IP packet has a unique IP ID
- Most OS increment IP ID for each sent packet
π‘οΈ Security Features
Advantages
- Complete stealth capability
- Conceals attacker’s IP address
- Can bypass certain firewalls
Considerations
- Zombie machine is detected as scan source
- IDS alerts are triggered for zombie machine
π§ Technical Mechanism
Scanning Process
- Record zombie machine’s IP ID
- Send SYN packet to zombie machine
- Observe target’s response
- Analyze IP ID changes
Result Interpretation
- IP ID increases by 2 β Port is open
- IP ID increases by 1 β Port is closed
β οΈ Security Countermeasures
Network Level
- Strict packet filtering
- Monitor abnormal IP ID patterns
- Identify and block zombie machines
System Level
- Use random IP IDs
- Implement strict access control
- Regular security audits