ONIS: Inferring TCP/IP-based Trust Relationships Completely Off-Path

Xu Zhang, Jeffrey Knockel, Jedidiah R. Crandall

Research output: Chapter in Book/Report/Conference proceedingConference contribution

6 Scopus citations


We present ONIS, a new scanning technique that can perform network measurements such as: inferring TCP/IP-based trust relationships off-path, stealthily port scanning a target without using the scanner's IP address, detecting off-path packet drops between two international hosts. These tasks typically rely on a core technique called the idle scan, which is a special kind of port scan that appears to come from a third machine called a zombie. The scanner learns the target's status from the zombie by using its TCP/IP side channels. Unfortunately, the idle scan assumes that the zombie has IP identifiers (IPIDs) which exhibit the now-discouraged behavior of being globally incrementing. The use of this kind of IPID counter is becoming increasingly rare in practice. Our technique, unlike the idle scan, is based on a much more advanced IPID generation scheme, that of the prevalent Linux kernel. Although Linux's IPID generation scheme is specifically intended to reduce information flow, we show that using Linux machines as zombies in an indirect scan is still possible. ONIS has 87% accuracy, which is comparable to nmap's implementation of the idle scan at 86%. ONIS's much broader choice of zombies will enable it to be a widely used technique which can fulfill various network measurement tasks.

Original languageEnglish (US)
Title of host publicationINFOCOM 2018 - IEEE Conference on Computer Communications
PublisherInstitute of Electrical and Electronics Engineers Inc.
Number of pages9
ISBN (Electronic)9781538641286
StatePublished - Oct 8 2018
Externally publishedYes
Event2018 IEEE Conference on Computer Communications, INFOCOM 2018 - Honolulu, United States
Duration: Apr 15 2018Apr 19 2018

Publication series

NameProceedings - IEEE INFOCOM
ISSN (Print)0743-166X


Other2018 IEEE Conference on Computer Communications, INFOCOM 2018
Country/TerritoryUnited States

ASJC Scopus subject areas

  • Computer Science(all)
  • Electrical and Electronic Engineering


Dive into the research topics of 'ONIS: Inferring TCP/IP-based Trust Relationships Completely Off-Path'. Together they form a unique fingerprint.

Cite this