Which statement best describes Idle scan (-sI) and its prerequisites/risks?

• A. Idle scan probes ports directly from the tester's machine without any side-channels and has no legal risk.
• B. Idle scan uses a zombie host’s IPID side-channel to infer open ports; requires a predictable idle zombie and trustworthy environment; it is complex, potentially intrusive, and may violate laws or policy.
• C. Idle scan uses DNS timing analysis to infer port states and is universally legal.
• D. Idle scan is a passive scan that only reads banners from open ports.

Answer: (B)

Idle scan relies on a zombie host’s IPID side-channel to infer port states on a target. The attacker spoofs traffic so the target’s responses appear to come from the zombie, and by watching how the zombie’s IPID changes, the tester can deduce which ports are open. This needs a zombie with a predictable IPID sequence and a network path that allows IP spoofing, plus a trustworthy environment because the technique can be stealthy and potentially violate laws or policy. It’s more complex and potentially intrusive than ordinary scans, and in many setups it’s not legal or permissible. In short, idle scan uses a zombie’s IPID behavior as a timing side-channel to reveal open ports, rather than direct probing from the tester or using other methods like DNS timing or banner reading.