Which statement best describes idle scans in Nmap?

• A. They rely on a zombie host and IPID timing and are often less reliable.
• B. They are simpler and more reliable than standard scans.
• C. They do not require any extra legality considerations.
• D. They always provide guaranteed covert access.

Answer: (A)

Idle scans rely on a zombie host and IPID timing to infer the target’s port state, offering a covert probing method rather than directly from the scanner. The zombie is used to generate traffic toward the target, with the scan manipulating IP spoofing so the target’s responses appear to come from the zombie. By watching how the zombie’s IPID—the identification value in IP headers—changes between probes, Nmap can deduce whether the target port is open or closed based on the observed timing patterns. This approach is appealing for stealth, since the true source appears to be the zombie, but it’s often less reliable because it hinges on the zombie’s IPID behavior being predictable. Some operating systems randomize IPID or behave inconsistently under load, and network factors like NAT, firewalls, packet loss, or traffic elsewhere on the path can disrupt the timing measurements, leading to unclear results or failures to detect states accurately.