{"id":11768,"date":"2017-02-01T08:00:59","date_gmt":"2017-02-01T08:00:59","guid":{"rendered":"http:\/\/www.icterra.com\/what-is-idle-scan\/"},"modified":"2021-10-04T12:49:46","modified_gmt":"2021-10-04T12:49:46","slug":"what-is-idle-scan","status":"publish","type":"post","link":"https:\/\/www.icterra.com\/de\/what-is-idle-scan\/","title":{"rendered":"What is Idle Scan?"},"content":{"rendered":"

Author:<\/strong> \u015eeref Sel\u00e7uk \u015eAH\u0130N, System Architect \u2013 Cyber Security<\/p>\n

\"\"<\/strong><\/p>\n

Idle scan is a TCP based port scan where the attacker sends spoofed packets to a passive (also called as \u201csilent\u201d) victim host. With the term \u201cpassive\u201d we mean here that the incoming or outgoing traffic of the victim host is very low. (The reason of this will be understood throughout the article.)<\/p>\n

Before we go into the deeper details of the Idle Scan, two concepts have to be understood clearly:<\/p>\n

1) IP ID
\n2) Response of a host to some TCP flags.<\/p>\n

IP ID(entification) Field<\/strong><\/p>\n

IP ID is a 16-bit field in the IPv4 header which is related with IP fragmentation. We won\u2019t dig deeper what is IP ID field in this article. But you just have known that (randomly created initial) IP ID value -mostly- will be incremented by one for each IP packet arrived to the victim host. (For more information about IP ID field:\u00a0https:\/\/www.cellstream.com\/intranet\/reference-reading\/tipsandtricks\/314-the-purpose-of-the-ip-id-field-demystified.html<\/a>, \u00a0https:\/\/tools.ietf.org\/html\/rfc6864<\/a>)<\/em><\/p>\n

TCP Flags<\/strong><\/p>\n

The responses of the hosts to the SYN segments depends on the values of the flags in TCP header. To thoroughly understand the Idle Scan concept you have to know the following TCP responses.<\/p>\n

1.) If a host receives a TCP segment where SYN and ACK flags are set then it responses with the RST flag since there is no corresponding session which started with a SYN earlier to SYN\/ACK)<\/p>\n

 <\/p>\n

2.) If a host receives a TCP segment to its\u00a0open port<\/strong>\u00a0where only SYN flag is set (which is describing an intent for setting up a TCP connection) then it responses with SYN and ACK flags.<\/p>\n

\"\"<\/p>\n

3.) If a host receives a TCP segment to its\u00a0closed port<\/strong>\u00a0where only SYN flag is set then it responses with RST flag.<\/p>\n

\"\"<\/p>\n

4.) If a firewall or a similar access control device blocks the access to some ports of the host then these port are called\u00a0filtered ports<\/strong>. If a SYN segment is sent to a filtered port of the host then the host doesn\u2019t give a response to this segment because the segment couldn\u2019t reach the host because of the firewall which simply drops the packet. (The result is also the same for other TCP segments.)<\/p>\n

\"\"<\/p>\n

To give a summary:<\/p>\n