Nmap Security Scanner
*Ref Guide
Security Lists
Security Tools
Site News
Advertising
About/Contact
Credits
Sponsors





Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
Idle Scanning and Related IPID Games

Spanish Translation by ThiOsk (os_k&at&softhome.net)
Purtuguese (Brazil) translation by Christian S. Perone

Almost four years ago, security researcher Antirez posted an innovative new TCP port scanning technique. Idlescan, as it has become known, allows for completely blind port scanning. Attackers can actually scan a target without sending a single packet to the target from their own IP address! Instead, a clever side-channel attack allows for the scan to be bounced off a dumb "zombie" host. Intrusion detection system (IDS) reports will finger the innocent zombie as the attacker. Besides being extraordinarily stealthy, this scan type permits mapping out IP-based trust relationships between machines.

I assumed that a problem of this magnitude would generate an immediate response and patches from the OS vendors. Unfortunately, many have chosen to ignore the problem for years. Apparently, they believe this is just a "theoretical" issue which is not practical to exploit in the real world. To refute that position, and increase the pressure on vendors to fix the problem, I have released a robust Idlescan implementation in recent versions of Nmap This paper describes the technique in detail and offers defenses that network administrators, ISPs, and OS vendors can use to mitigate the vulnerability.

Note that Idle scanning is only one of the security risks posed by predictable IPID sequence numbers. This paper describes several other information gathering attacks made possible by this characteristic.

Technique

While Idle scanning is rather sophisticated as far as port scanning methods go, one does not have to be a TCP/IP expert to understand it. You only need to understand a few basic facts:

By combining these traits, it is possible to scan a target network while forging your identity so that it looks like an innocent "zombie" machine did the scanning. This technique is easiest to describe via a diagram. In the picture below, an attacker, A, is scanning a Target machine, while blaming the scan on some Zombie, Z. The boxes represent machines, and the lines represent packets. Brief English descriptions of the packets are printed on top of the lines, while actual TCP flags and distinctive packet information is printed below them:

Idlescan technique diagram

As demonstrated by the diagram above, the target hosts responds differently to the Zombie depending on port state. If the probed port is open, the target sends a SYN|ACK to the Zombie. The Zombie does not expect this SYN|ACK, so it sends a RST back. By sending the RST, the Zombie causes its IPID sequence number to increment. The real attacker detects this in step 3. If the port is closed, the target sends a RST to the Zombie. Zombies ignore this unsolicited RST packet and do not increment their IPID sequence number.

Idlescan Advantages

The Idlescan techniques offer attackers many advantages over
other popular scan types such as SYN and FIN scans. This is why we recommend important defenses to help protect your network against this attack. Here are some of the reasons attackers (or legitimate penetration testers) might utilize this scan method:

  • Ultimate stealth scan -- There are many techniques people can use to shield their identity when scanning. Examples include using decoys (nmap -D) or half-open scanning (nmap -sS). But even these techniques require an attacker to send some packets to the target from her real IP address. Idlescan, on the other hand, is completely blind -- no packets are sent to the target from the true source address.

    One upshot of this is that intrusion detection (IDS) systems will generally light up and send alerts claiming that the zombie machine has launched a scan against them!

  • Defeating packet filtering firewalls/routers -- IP source address filtering is a common security mechanism for limiting machines that may connect to a sensitive host. For example, a company database server might only allow connections from the public web server which accesses it. A home user might only allow ssh (interactive login) connections from his work machines.

    A more disturbing scenario occurs when some company bigwig demands that network administrators open a firewall hole so he can access internal network resources from his home IP address. This can happen when executives are unwilling or unable to use secure VPN alternatives.

    Idle scanning can frequently be used to map out these trust relationship. The key factor is that Idlescan results list open ports from the zombie host perspective. So a normal scan against the aforementioned database server might show no ports open. But performing an Idlescan while using the web server IP as the zombie could expose the trust relationship by showing the database-related service ports open.

    Mapping out these trust relationships can be very useful to attackers for prioritizing targets. The web server discussed above may seem mundane to an attacker until she notices its special database access.

Nmap Usage Examples

The first step is to find an appropriate zombie host. The host should not have much traffic (hence the name Idle Scan) and should offer predictable IPID values. Printers, Windows boxes, older Linux hosts, FreeBSD, and Mac OS boxes generally work fine. The latest versions of Linux, Solaris, and OpenBSD are immune as zombies, but any host can be a target of the scan. One way to determine host vulnerability is to simply try an Nmap Idle scan. Nmap will test the zombie and report whether it is reliable.

Performing these scans is quite easy. Simply provide a zombie hostname to the -sI option and Nmap does the rest. Here is a quick example:

# nmap -P0 -p- -sI kiosk.adobe.com www.riaa.com

Starting nmap V. 3.10ALPHA3 ( insecure.org/nmap/ )
Idlescan using zombie kiosk.adobe.com (192.150.13.111:80); Class: Incremental
Interesting ports on 208.225.90.120:
(The 65522 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
25/tcp     open        smtp
80/tcp     open        http
111/tcp    open        sunrpc
135/tcp    open        loc-srv
443/tcp    open        https
1027/tcp   open        IIS
1030/tcp   open        iad1
2306/tcp   open        unknown
5631/tcp   open        pcanywheredata
7937/tcp   open        unknown
7938/tcp   open        unknown
36890/tcp  open        unknown

Nmap run completed -- 1 IP address (1 host up) scanned in 2594.472 seconds

From the scan above, we learn that the RIAA is not very security conscious (note the open PC Anywhere, portmapper, and Legato nsrexec ports). Since they apparently have no firewall, it is unlikely that they have an IDS. But if they do, it will show 'kiosk.adobe.com' as the scan culprit. The -P0 option prevents Nmap from sending an initial ping to the RIAA machine. This slows the scan down (less timing info available), but ensures that no packets are sent to the target from your real IP. The scan took a long time because all 65535 TCP ports were scanned -- skip the "-p-" option if you only want well known ports plus 1-1024. Be sure to find your own zombies -- kiosk is not very reliable and is likely disappear or be closely monitored.

Defenses

Fortunately, there are several defenses which can be deployed to prevent most IPID-related attacks:

Network Administrators:

Internet Service Providers (ISPs) OS Vendors
Idlescan Challenges

I was going to discuss implementation challenges of writing fast, accurate Idle scanners. But very few of you are doing that, and those who are can read the source code to Nmap and other scanners. So I will only outline a few important points. This section also includes some challenges encountered by tool users.

  • Performance -- Scanning one port at a time (as in the diagram above) would be horrendously slow for thousands of ports. Nmap gets around this by sending up to 100 probes in parallel. Normally, all ports will be closed and the Zombie IPID will not increment. If Nmap finds that the IPID did increment, it will narrow down on the open port(s) using a binary search approach.
  • Non-idle hosts -- Idle scanning works by counting the number of packets sent by a zombie and assuming those packets are responses to packets originated by your target. Thus, extraneous packets sent by a non-idle zombie cause significant confusion. Nmap tries to counter this problem with probe retransmission and other techniques to detect false results. For example, Nmap knows something is wrong if it probes 6 ports and the IPID increases by 10 or 20. Nmap adjusts its timing and parallelism to compensate for slightly active hosts or dropped packets when they are detected. However, Nmap will not be reliable with any heavily active zombies. One technique in dealing with highly active zombies is to send a large number (dozens or hundreds) of probes to each port. This "brute force" technique can hide a small amount of "white noise" traffic. Unfortunately, the cost is significant bandwidth, slow scans, and the possibility of SYN flooding your target. Thomas Olofsson demonstrated a tool for doing this at his 2001 Black Hat Briefings presentation. His (Powerpoint) presentation slides are available here
  • Egress filtering -- If you cannot spoof packets due to egress filtering by your ISP, try a new ISP or (for advanced users) IP tunneling. You can also try bouncing off another machine on your same network (less likely to be filtered).
  • Unsuitable zombies -- Some hosts will not work as zombies due to a clever operating system or substantial traffic. In most cases you can simply use a different zombie.
More fun with IPID prediction

While this paper focuses on utilizing predictable IPID sequences for port scanning, there are many other devious ways to exploit this information. Here is a brief list:

Related Links
  • Nmap, which now includes Idlescan, is available at http://nmap.org/
  • The basic IPID scan technique was invented by Antirez (Salvatore Sanfilippo). His home page is at http://www.kyuzz.org/antirez/
  • Antirez also developed the excellent Hping tool, which is tremendously useful for low-level IPID testing.
  • LiquidK posted a proof-of-concept IPID scanner and coined the name "idlescan" in 1999. The URLs in that posting no longer work, but the source is now available here
  • Thomas Olofsson wrote and demonstrated an IPID scanning tool at the 2001 Black Hat Briefings. His (Powerpoint) presentation slides are available here and give a good overview of the basic technique. As mentioned earlier in this paper, his tool may be preferable to Nmap in cases where the "Idle zombie host" is not really Idle. Unfortunately, I do not have a working URL for his tool.
Nmap Site Navigation
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]