Idle scan relies on which side-channel to infer port states?

Idle scan uses the IPID side-channel of a zombie host. The IPID field in IPv4 headers identifies fragments and, on many systems, increments with each outbound packet in a relatively predictable way. In this technique, the scanner spoofs packets to the target with the zombie’s IP as the source. The target’s responses go to the zombie, and the zombie will emit different outbound traffic back to the scanner depending on whether the port is open or closed. Those differences cause the zombie’s IPID value to change in a detectable way. By observing how the zombie’s IPID changes before and after the spoofed probes, the scanner can infer which ports on the target are open. The other options don’t provide this covert side-channel: TTL analysis isn’t used to determine open ports in idle scans, DNS response times aren’t relevant to the port-state inference, and ICMP error messages aren’t the mechanism behind this technique.