There is at present no immediate defense against an idle scan, and no easy way to tell it from a regular SYN scan. However, it is quite easy to defend against being a witness host by using random or constant IP IDs, as discussed in Chapter 9. Although doing so won’t make attacks against you—or attacks in general—any more difficult (plenty of systems will always use sequential identifiers), it will prevent your network from being abused for this purpose.

To avoid the firewall bypassing (“perspective”) attack, use common sense when designing access channels for external systems, and use proper ingress filtering on gateway systems, dropping all packets that arrive from the Internet with source addresses that seem to belong ...