[Paper] New Idle Scan Techniques

[Fyodor <fyodor () insecure org>]

David just sent me a link to a research paper which discloses a couple
novel port scanning techinques which are related to the Nmap idle scan
(-sI) in that they are side channel attacks which don't require
sending packets to the target from your real IP address.  One of the
techniques is based on TCP RST rate limiting and the other uses SYN
cache behavior.  Here is the paper:

http://www.usenix.org/events/sec10/tech/full_papers/Ensafi.pdf

The techniques aren't nearly as efficient as Idle scan in terms of the
numbe of packets and time to detect port state, but they could
potentially be valuable in cases where Idle scan (and other
techniques) won't work.  A nice aspect of their SYN cache attack is
that the attacker doesn't need to send any packets to the true
target--not even the forged packets you send in a standard idle scan.

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/