Browse Prior Art Database

A simple and efficient method to prevent "Idle Scan" attacks

IP.com Disclosure Number: IPCOM000016521D
Original Publication Date: 2003-Jun-26
Included in the Prior Art Database: 2003-Jun-26
Document File: 3 page(s) / 81K

Publishing Venue

IBM

Abstract

Disclosed is a method to generate IP IDs such that the idle scan attacks can be easily prevented without imposing any additional overhead in IP ID generation

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 55% of the total text.

Page 1 of 3

A simple and efficient method to prevent "Idle Scan" attacks

  Port Scanning is one of the most popular reconnaissance techniques attackers use to discover services they can break into. All machines connected to a LAN or connected to Internet run many services that listen at well-known and not-so-wellknown ports as well. By port scanning the attackers finds which ports are available i.e. listened to by a service. Essentially a port scan consists of sending a message to each port, one at a time. The kind of response received indicates whether the port is used and can therefore be probed further for weakness.

The latest in the numerous port scanning methods is called Idle Scan. In the Idle Scan technique, it is possible to scan a target network while forging your identity so that it looks like an innocent "zombie" machine did the scanning. This technique is easiest described via a diagram. The pictures on the next page illustrate how an Attacker A can scan a Target machine T while blaming the scan on some Zombie Z and go undetected. This is especially useful where the target machine is inside a firewall and inaccessible while the zombie is publicly accessible (serving as proxy for example).

1: Probe for a current identification number from a zombie machine

A

T

IP ID Probe SYN Packet/ ICMP ECHO

IP ID=31990 RST/ ICMP REPLY

Z

2: Send a forged packet from Zombie to the Target machine Resulting behavior depends on whether the port is open and closed as shown below

1

[This page contains 2 pictures or other non-text objects]

Page 2 of 3

Case 1 Probe to Target OPEN Port 80 Case 2 Probe to Target CLOSED Port 25

A

SYN to port 80 Faking SRC IP:Z

SYN to port 25 Faking SRC IP:Z

RST

T

A

T

Z

SYN/ACK

IP ID=31991 RST

Z

Step 3 Probe the Target again to get the new IP ID

A

T

A

T

IP ID Probe SYN/ICMP ECHO

IP ID=31992 RST/ ICMP REPLY

IP ID Probe SYN/ICMP ECHO

IP ID=31991 RST/ ICMP REPLY

From Step 3 above, based on the IP ID of the packet (RST or ICMP reply) received from the Zombie the attacker can figure out if the port on the target was OPEN or CLOSED. If the IP ID has increased by exactly 2 since the last IP ID that the attacker saw, it interprets this to as the port being OPEN. If the IP ID is 1 more than the last IP ID, then the port was closed since the zombie did not sent a RST to the target machine (the zombie received a RST from the target host which it simply discarded)

To protect against this IPID-related attack the most common solution has been to generate a random IP ID. But using a random IP ID poses the following problems:

2

Z

Z

[This page contains 8 pictures or other non-text objects]

Page 3 of 3

1. A random ID generator can impose a performance overhead since this operation will have to be performed on every outgoing IP data gram
2. Even if this p...