What this means exactly is that someone is using one machine's ip addy ( the Idle machine ) to scan the target computer for open services.
This is needed because while he is spoofing his address as the Idle's machine address and sending syn packets to his target he will be sending syn packets as well to idle machine to monitor it's IP Id numbers. It is through the monitoring of said numbers that he will know if the target machine has open services or not.
When a machine is idle, and you send syn packets to it, the IP Id numbers will normally go up in a predictable sequence. If the sequence varies it is because the host is now active (no Idle).
By this I mean that the target machine will send to Idle computer a syn/ack. Idle machine will respond with an ack packet. This communication between the two will cause the IP Id numbers
to change from it's predictable sequence. Thus indicating to attacker/scanner that the spoofed (Idle) machine has found an open port. All this is done without exposing himself to the target machine.
If you have a machine which is running no services, and is firewalled this will not work. If you have services running but not used a lot then this may or may not work.
Don't be a Idle machine for use by the Black Hat's.
"The distance between genius and insanity is measured only by success." --
Re: Idle Machines and Spoofed Scan's
14 years 2 months ago #5338