Nmap Development mailing list archives
Idle scan detection thoughts (newbie)
From: Christos Gioran <himicos () freemail gr>
Date: Sun, 17 Aug 2003 12:16:51 -0700
[ Redirected from nmap-hackers to nmap-dev --Fyodor ] Hi list, i was wondering how an idle scan can be intercepted. Based on what i have read, the zombie receives a lot of packets from a host that has no connection to. Most of them are RST packets, since a host has no more than, say , 50 ports (correct?) open out of 2^16. If the attacker does a generic port scan and does not target for instance 20 well known ports, then the zombie host will be flooded with RST packets from the target. But that could be detected from an IDS, since it does not coincide withih the limits of normal traffic. I doubt whether a host receives thousands of RST packets in a relative short time in a daily basis. Even so, it is certain that it must be combined with a flood of SYN/ACK from the offending host, which can also be detected. My point (or question, if you like) is that an idle scan can be easily detected at the zombie host with an IDS. Such being the case, do any rules for snort exist? It occures to me that if such is the case, then using more than one zombie host and randomizing the scans among them could ease the load on each one and finally bypass any IDS set up as i assume it could be above. Combining that with large timing options (-T2) and decoy scans (is it possible??) there shouldn't be mush left to detect. Is such a feature, if proven necessary, going to be implemented in nmap? It obviously can be done by hand, but just for that time-saving, computer-assisted touch, it would be worth it. Just an idea. CG P.S. I realise that even if i am correct, a host that is idle && has predictable IPID sequence generation is most probably not even running an IDS or even firewall. But let's keep that out of the discussion, since (in my opinion) it is beyond the point. P.S.2 Would a database with OS (including possible SP #'s for Windows) with predictable IPID generation be useful. I realise that -O gives such info but it wouldn't hurt to know in advance what to target, given several choices. --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Idle scan detection thoughts (newbie) Christos Gioran (Aug 17)