An idle scan, or zombie scan, is a sophisticated hacking technique where a hacker uses a controlled zombie computer to scan TCP ports and find vulnerabilities in a victim’s system. The hacker can then initiate an attack. Admins can defend against this by using firewalls and ingress filters.
An idle scan, also known as a zombie scan, is used by hackers to scan Transmission Control Protocol (TCP) ports in an attempt to map the victim’s system and discover vulnerabilities. This attack is one of the most sophisticated hacking techniques, because the hacker is not identified through his actual computer but through a controlled zombie computer that masks the hacker’s digital location. Most administrators just block the hacker’s Internet Protocol (IP) address, but since this address belongs to the zombie computer and not the hacker’s real computer, this doesn’t solve the problem. After running the idle scan, the scan will show that a port is open, closed, or locked, and the hacker will know where to initiate an attack.
An idle scan attack begins with the hacker taking control of a zombie computer. A zombie computer may belong to an ordinary user, and that user may have no idea that their computer is being used for malicious attacks. The hacker isn’t using their own computer to scan, so the victim will only be able to block the zombie, not the hacker.
After taking control of a zombie, the hacker hacks into the victim’s system and scans all TCP ports. These ports are used to accept connections from other machines and are required to perform basic computer functions. When the hacker performs an idle scan, the port will return as one of three categories. Open ports accept connections, closed ports deny connections, and blocked ports are unresponsive.
Open ports are what hackers look for, but even closed ports can be used for some attacks. With an open port, there are vulnerabilities with the program associated with the port. Closed ports and open ports show vulnerabilities with the operating system (OS). The idle scan itself rarely initiates the attack; it just shows the hacker where an attack can start.
For an admin to be able to defend their server or website, the admin needs to work with firewalls and ingress filters. The administrator should verify that the firewall does not produce predictable IP sequences, which will make it easier for the hacker to scan idle. Ingress filters should be set to deny all external packets, especially those that have the same address as the system’s internal network.
Protect your devices with Threat Protection by NordVPN