Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Idle scan detection thoughts (newbie)

From: Christos Gioran <himicos () freemail gr>
Date: Sun, 17 Aug 2003 12:16:51 -0700
[ Redirected from nmap-hackers to nmap-dev --Fyodor ]

Hi list,
    i was wondering how an idle scan can be intercepted. Based on what i have
read, the zombie receives a lot of packets from a host that has no connection
to. Most of them are RST packets, since a host has no more than, say , 50
ports (correct?) open out of 2^16. If the attacker does a generic port scan
and does not target for instance 20 well known ports, then the zombie host
will be flooded with RST packets from the target. But that could be detected
from an IDS, since it does not coincide withih the limits of normal traffic. I
doubt whether a host receives thousands of RST packets in a relative short
time in a daily basis. Even so, it is certain that it must be combined with a
flood of SYN/ACK from the offending host, which can also be detected. My point
(or question, if you like) is that an idle scan can be easily detected at the
zombie host with an IDS. Such being the case, do any rules for snort exist?

It occures to me that if such is the case, then using more than one zombie
host and randomizing the scans among them could ease the load on each one and
finally bypass any IDS set up as i assume it could be above. Combining that
with large timing options (-T2) and decoy scans (is it possible??) there
shouldn't be mush left to detect. Is such a feature, if proven necessary,
going to be implemented in nmap?
It obviously can be done by hand, but just for that time-saving,
computer-assisted touch, it would be worth it.

Just an idea.

CG

P.S. I realise that even if i am correct, a host that is idle && has
predictable IPID sequence generation is most probably not even running an IDS
or even firewall. But let's keep that out of the discussion, since (in my
opinion) it is beyond the point.
P.S.2 Would a database with OS (including possible SP #'s for Windows) with
predictable IPID generation be useful. I realise that -O gives such info but
it wouldn't hurt to know in advance what to target, given several choices.


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Previous By Date Next
Previous By Thread Next

Current thread: