Fin - no - Ack

Cloppert, Michael mcloppert at
Wed Feb 25 20:16:59 GMT 2004

From what I understand, a SYN/FIN scan will in fact raise both SYN and FIN TCP flags, the goal of which is to receive a SYN/ACK packet back (Solaris 5.8 plays well with this).
Could this be an ordinary FIN scan?  FIN scanning looks for ports based on the lack of a response.  This introduces obvious accuracy problems, but can be effective.  The theory is that when a host receives a FIN packet on a closed port, a RST/ACK will be sent in response.  Besides port scanning, a periphery benefit of FIN scans is determining RFC compliance.
SecurityFocus has a great high-level article on FIN scans:
...and this bugtraq is good too:
Don't know if this at all answers your question, and you may already know this, but HTH,

	-----Original Message----- 
	From: Smith, Donald [mailto:Donald.Smith at] 
	Sent: Wed 2/25/2004 1:42 PM 
	To: fportnoy at; intrusion at; unisog at 
	Subject: RE: Fin - no - Ack

	Just the fin (no syn?).
	SYN/FIN scanning works in some os'es and can pass weak filters.
	Donald.Smith at GCIA
	Good luck favors the well prepared. Bad luck favors the poorly prepared.
	> -----Original Message-----
	> From: Fred Portnoy [mailto:fportnoy at]
	> Sent: Wednesday, February 25, 2004 11:30 AM
	> To: intrusion at; unisog at
	> Subject: Fin - no - Ack
	> Since around 9am today I am seeing high rates of scans coming
	> from my ResNet
	> with the FIN bit set but no ACK bit. Does this sound familiar
	> to anyone?
	> thanks
	> -fp

More information about the unisog mailing list