Fin - no - Ack

Cloppert, Michael mcloppert at usaid.gov
Wed Feb 25 20:16:59 GMT 2004


From what I understand, a SYN/FIN scan will in fact raise both SYN and FIN TCP flags, the goal of which is to receive a SYN/ACK packet back (Solaris 5.8 plays well with this).
 
Could this be an ordinary FIN scan?  FIN scanning looks for ports based on the lack of a response.  This introduces obvious accuracy problems, but can be effective.  The theory is that when a host receives a FIN packet on a closed port, a RST/ACK will be sent in response.  Besides port scanning, a periphery benefit of FIN scans is determining RFC compliance.
 
SecurityFocus has a great high-level article on FIN scans: http://www.securityfocus.com/guest/24226
...and this bugtraq is good too: http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
 
Don't know if this at all answers your question, and you may already know this, but HTH,
Mike

	-----Original Message----- 
	From: Smith, Donald [mailto:Donald.Smith at qwest.com] 
	Sent: Wed 2/25/2004 1:42 PM 
	To: fportnoy at mail.plymouth.edu; intrusion at sans.org; unisog at sans.org 
	Cc: 
	Subject: RE: Fin - no - Ack
	
	

	Just the fin (no syn?).
	SYN/FIN scanning works in some os'es and can pass weak filters.
	
	Donald.Smith at qwest.com GCIA
	http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
	Good luck favors the well prepared. Bad luck favors the poorly prepared.
	
	> -----Original Message-----
	> From: Fred Portnoy [mailto:fportnoy at mail.plymouth.edu]
	> Sent: Wednesday, February 25, 2004 11:30 AM
	> To: intrusion at sans.org; unisog at sans.org
	> Subject: Fin - no - Ack
	>
	>
	> Since around 9am today I am seeing high rates of scans coming
	> from my ResNet
	> with the FIN bit set but no ACK bit. Does this sound familiar
	> to anyone?
	>
	> thanks
	>
	> -fp
	>
	>
	>
	>
	
	
	



More information about the unisog mailing list