312-50V10 · Question #165
If there is an Intrusion Detection System (IDS) in intranet, which port scanning technique cannot be used?
The correct answer is B. TCP SYN. TCP SYN scan creates a recognizable pattern of half-open connections that IDS systems are specifically designed to detect, rendering it ineffective when an IDS is monitoring the intranet.
Question
If there is an Intrusion Detection System (IDS) in intranet, which port scanning technique cannot be used?
Options
- ASpoof Scan
- BTCP SYN
- CTCP Connect scan
- DIdle scan
How the community answered
(38 responses)- A8% (3)
- B74% (28)
- C3% (1)
- D16% (6)
Why each option
TCP SYN scan creates a recognizable pattern of half-open connections that IDS systems are specifically designed to detect, rendering it ineffective when an IDS is monitoring the intranet.
Spoof scan uses decoy IP addresses to disguise the true source of the scan, making it difficult for an IDS to attribute activity to the real attacker and allowing it to be used even when an IDS is present.
TCP SYN scan (half-open scan) sends SYN packets but intentionally never completes the three-way handshake, generating an anomalous traffic pattern that is a primary detection signature for IDS engines. Because the intranet IDS monitors for exactly this SYN-only traffic behavior, this technique cannot be used without triggering immediate alerts and attribution back to the scanner.
TCP Connect scan completes the full three-way handshake and is logged at the OS level, but it does not trigger the same half-open connection IDS signatures as TCP SYN, so it can still be executed in an IDS environment.
Idle scan uses a third-party zombie host to relay probe packets so the IDS sees traffic originating from the zombie rather than the real attacker, making it one of the stealthiest techniques and still usable when an IDS is present.
Concept tested: IDS evasion and port scanning detection techniques
Source: https://nmap.org/book/man-bypass-firewalls-ids.html
Topics
Community Discussion
No community discussion yet for this question.