Home page logo
/

nmap-dev logo Nmap Development mailing list archives

[Paper] New Idle Scan Techniques
From: Fyodor <fyodor () insecure org>
Date: Wed, 20 Apr 2011 15:12:58 -0700

David just sent me a link to a research paper which discloses a couple
novel port scanning techinques which are related to the Nmap idle scan
(-sI) in that they are side channel attacks which don't require
sending packets to the target from your real IP address.  One of the
techniques is based on TCP RST rate limiting and the other uses SYN
cache behavior.  Here is the paper:

http://www.usenix.org/events/sec10/tech/full_papers/Ensafi.pdf

The techniques aren't nearly as efficient as Idle scan in terms of the
numbe of packets and time to detect port state, but they could
potentially be valuable in cases where Idle scan (and other
techniques) won't work.  A nice aspect of their SYN cache attack is
that the attacker doesn't need to send any packets to the true
target--not even the forged packets you send in a standard idle scan.

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]