What Is an Idle Scan?

An idle scan, also known as a zombie scan, is used by hackers to scan transmission control protocol (TCP) ports in an attempt to map the victim’s system and find out its vulnerabilities. This attack is one of the more sophisticated hacker techniques, because the hacker is not identified through his or her real computer but through a controlled zombie computer that masks the hacker’s digital location. Most administrators just block the Internet protocol (IP) address of the hacker but, since this address belongs to the zombie computer and not the hacker’s real computer, this does not resolve the issue. After performing the idle scan, the scan will show a port is either open, closed or blocked, and the hacker will know where to start an attack.

An idle scan attack begins with the hacker taking control of a zombie computer. A zombie computer may belong to a regular user, and that user may have no idea that his or her computer is being used for malicious attacks. The hacker is not using his or her own computer to do the scan, so the victim will only be able block the zombie, not the hacker.

After taking control of a zombie, the hacker will sneak into the victim’s system and scan all the TCP ports. These ports are used to accept connections from other machines and are needed to perform basic computer functions. When the hacker performs an idle scan, the port will return as one of three categories. Open ports accept connections, closed ports are those that are denying connections, and blocked ports give no reply.

Open ports are the ones hackers look for, but closed ports also can be used for some attacks. With an open port, there are vulnerabilities with the program associated with the port. Closed ports and open ports show vulnerability with the operating system (OS). The idle scan itself rarely initiates the attack; it just shows the hacker where he or she can start an attack.

For an administrator to defend his or her server or website, the administrator has to work with firewalls and ingress filters. The administrator should check to make sure the firewall does not produce predictable IP sequences, which will make it easier for the hacker to perform the idle scan. Ingress filters should be set to deny all outside packets, especially those that have the same address as the system’s internal network.