Fin - no - Ack
mcloppert at usaid.gov
Wed Feb 25 20:16:59 GMT 2004
From what I understand, a SYN/FIN scan will in fact raise both SYN and FIN TCP flags, the goal of which is to receive a SYN/ACK packet back (Solaris 5.8 plays well with this).
Could this be an ordinary FIN scan? FIN scanning looks for ports based on the lack of a response. This introduces obvious accuracy problems, but can be effective. The theory is that when a host receives a FIN packet on a closed port, a RST/ACK will be sent in response. Besides port scanning, a periphery benefit of FIN scans is determining RFC compliance.
SecurityFocus has a great high-level article on FIN scans: http://www.securityfocus.com/guest/24226
...and this bugtraq is good too: http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
Don't know if this at all answers your question, and you may already know this, but HTH,
From: Smith, Donald [mailto:Donald.Smith at qwest.com]
Sent: Wed 2/25/2004 1:42 PM
To: fportnoy at mail.plymouth.edu; intrusion at sans.org; unisog at sans.org
Subject: RE: Fin - no - Ack
Just the fin (no syn?).
SYN/FIN scanning works in some os'es and can pass weak filters.
Donald.Smith at qwest.com GCIA
Good luck favors the well prepared. Bad luck favors the poorly prepared.
> -----Original Message-----
> From: Fred Portnoy [mailto:fportnoy at mail.plymouth.edu]
> Sent: Wednesday, February 25, 2004 11:30 AM
> To: intrusion at sans.org; unisog at sans.org
> Subject: Fin - no - Ack
> Since around 9am today I am seeing high rates of scans coming
> from my ResNet
> with the FIN bit set but no ACK bit. Does this sound familiar
> to anyone?
More information about the unisog