Nmap reporting incorrect results from an idle scan

Question

I have a VPS that I was scanning to make sure everything is in check. A regular SYN scan reports that ports 25 and 80 are open (which they should be). When I run an idle scan however, I get back that all 1000 ports scanned are closed|filtered. I have tried the SYN scan and the idle scan on a few other servers and also have tried different zombies when doing an idle scan.

On another server I was testing this against, it had about 9 ports open but, again, the idle scan showed that all 1000 ports were closed|filtered.

Any ideas on why this is happening? I've read over the documentation about the idle scan and understand that it cannot determine the difference between a closed and filtered port due to the way it works, but since these servers have ports open I don't understand why the idle scan is picking them up as either closed or filtered.

Answer 1

The nmap Idle Scan is a very fragile creature. From the Idle Scan information:

The first step in executing an IP ID idle scan is to find an appropriate zombie. It needs to assign IP ID packets incrementally on a global (rather than per-host it communicates with) basis. It should be idle (hence the scan name), as extraneous traffic will bump up its IP ID sequence, confusing the scan logic. The lower the latency between the attacker and the zombie, and between the zombie and the target, the faster the scan will proceed.

It sounds like your zombie is not suitable: Either it's not idle enough, it uses a "random positive increment" strategy for IP IDs (which also confuses the scan logic), or it assigns IP IDs based on the host it's talking to rather than using a global counter (so your IP ID is independent of other traffic, which breaks the scan logic entirely).