server -> SYN | ACK
client -> RST
This example has shown the target port was open, since the server responded with SYN ACK flags. The RST bit is kernel oriented, that is, the client need not send another packet with this bit, since the kernel's TCP/IP stack code automates this. Inversely, a closed port will respond with RST ACK.
client -> SYN
server -> RST | ACK
As such, this scan method will often go unlogged by connection based IDS', and will return fairly positive results (reliability of open/closed port recognition). Instead of sending ACK responses, we immediately tear down the connection.
As is displayed, this combination of flags is indicative of a non- listening port. Although, this technique has become rather easy to detect by many IDS, owing to the fact that a paramount of Denial of Service (DoS) utilities base their attacks by sending excess SYN packets.
Fairly standard intrusion detection systems are no doubt capable of logging these half-open scans: TCP wrappers, SNORT, Courtney, iplog. Notoriously, the SYN method was first used to avoid a well used IDS, named SATAN.
Advantages : fast, reliable, avoids basic IDS, avoids TCP three-way handshake
Disadvantages: require root privileges, rulesets block many SYN scan attempts
No comments:
Post a Comment