How it works...

Idle scan works on the basis of a predictable IPID or an IP fragmentation ID of the zombie host. First, the IPID of the zombie host is checked and then a connection request is spoofed from that host to the target host. If the port is open, an acknowledgment is sent back to the zombie host which resets (RST) the connection as it has no history of opening such a connection. Next, the attacker checks the IPID on the zombie again; if it has changed by one step it implies an RST was received from the target. But if the IPID has changed by two steps it means a packet was received by the zombie host from the target host and there was an RST on the zombie host, which implies that the port is open.