Idle Scan is an advanced TCP port scanning technique. In this method, an attacker uses a “zombie” computer (a machine in an idle state) to perform port scanning on target systems.
🎯 Basic Concepts
Idle Scan is based on three important facts:
TCP Port State Verification
- Open port → Responds with SYN/ACK packet
- Closed port → Responds with RST packet
Unsolicited Packet Response
- Unsolicited SYN/ACK → Responds with RST
- Unsolicited RST → Ignored
IP ID Characteristics
- Each IP packet has a unique IP ID
- Most OS increment IP ID for each sent packet
🛡️ Security Features
Advantages
- Complete stealth capability
- Conceals attacker’s IP address
- Can bypass certain firewalls
Considerations
- Zombie machine is detected as scan source
- IDS alerts are triggered for zombie machine
🔧 Technical Mechanism
Scanning Process
- Record zombie machine’s IP ID
- Send SYN packet to zombie machine
- Observe target’s response
- Analyze IP ID changes
Result Interpretation
- IP ID increases by 2 → Port is open
- IP ID increases by 1 → Port is closed
⚠️ Security Countermeasures
Network Level
- Strict packet filtering
- Monitor abnormal IP ID patterns
- Identify and block zombie machines
System Level
- Use random IP IDs
- Implement strict access control
- Regular security audits