Nmap Development mailing list archives
[Paper] New Idle Scan Techniques
From: Fyodor <fyodor () insecure org>
Date: Wed, 20 Apr 2011 15:12:58 -0700
David just sent me a link to a research paper which discloses a couple novel port scanning techinques which are related to the Nmap idle scan (-sI) in that they are side channel attacks which don't require sending packets to the target from your real IP address. One of the techniques is based on TCP RST rate limiting and the other uses SYN cache behavior. Here is the paper: http://www.usenix.org/events/sec10/tech/full_papers/Ensafi.pdf The techniques aren't nearly as efficient as Idle scan in terms of the numbe of packets and time to detect port state, but they could potentially be valuable in cases where Idle scan (and other techniques) won't work. A nice aspect of their SYN cache attack is that the attacker doesn't need to send any packets to the true target--not even the forged packets you send in a standard idle scan. Cheers, Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [Paper] New Idle Scan Techniques Fyodor (Apr 20)
- Re: [Paper] New Idle Scan Techniques Henri Doreau (Apr 25)