Which statement about idle (s0) scan is true?

• A. Probes are sent directly to the target
• B. Probes are sent via the zombie rather than directly to the target
• C. It requires DNS resolution of the zombie
• D. It bypasses IPID correlation

Answer: (B)

Idle (s0) scanning uses a zombie host to carry out the probe traffic to the target, rather than sending probes directly from the scanner. The attacker leverages a zombie with a predictable IPID sequence and a covert side channel: by forcing the zombie to provoke responses from the target and by observing how the zombie’s IPID values change, the scanner can infer whether a port on the target is open, closed, or filtered. In short, the probes travel through the zombie, not directly from the scanner, which is why this option is the correct description. DNS resolution of the zombie isn’t required for the technique, and the method specifically relies on IPID behavior, so it doesn’t bypass IPID correlation.