nerdexam
EC-Council

312-50V10 · Question #468

If there is an Intrusion Detection System (IDS) in intranet, which port scanning technique cannot be used?

The correct answer is C. TCP SYN. TCP SYN (half-open) scanning cannot be effectively used when an IDS is present because the incomplete handshake pattern is a well-known IDS signature trigger.

Evading IDS, Firewalls, and Honeypots

Question

If there is an Intrusion Detection System (IDS) in intranet, which port scanning technique cannot be used?

Options

  • ASpoof Scan
  • BTCP Connect scan
  • CTCP SYN
  • DIdle Scan

How the community answered

(50 responses)
  • A
    8% (4)
  • B
    2% (1)
  • C
    74% (37)
  • D
    16% (8)

Why each option

TCP SYN (half-open) scanning cannot be effectively used when an IDS is present because the incomplete handshake pattern is a well-known IDS signature trigger.

ASpoof Scan

Spoof Scan uses a forged source IP address, so the IDS may log the scan but cannot attribute it to the real attacker, allowing the technique to still be used without exposing the scanner.

BTCP Connect scan

TCP Connect scan completes the full three-way handshake and is detectable, but is not the answer the question targets - the focus is on which technique the IDS specifically breaks through half-open connection detection.

CTCP SYNCorrect

TCP SYN scanning sends SYN packets to target ports but never completes the three-way handshake, creating a flood of half-open connections that modern IDS systems are specifically tuned to detect via signatures matching this anomalous pattern. Because the IDS can identify and alert on these incomplete connection attempts in real time, the technique is rendered ineffective in an environment with active intranet IDS monitoring. Stealth techniques like Idle Scan or Spoof Scan are designed precisely to circumvent this kind of detection.

DIdle Scan

Idle Scan uses a third-party 'zombie' host to relay probes, meaning no packets from the actual attacker ever reach the target or the IDS, making it one of the stealthiest methods available.

Concept tested: IDS evasion and TCP SYN scan detectability

Source: https://nmap.org/book/man-port-scanning-techniques.html

Topics

#IDS evasion#TCP SYN scan#port scanning#scan detection

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice