TCP Half scan (Stealth scan) (TCP FIN scan)

About this signature or vulnerability

BlackICE: http://www.networkice.com/advice/Intrusions/2000305

Default risk level

Low risk vulnerability  Low

Sensors that have this signature

BlackICE: 1.8.5.5

Systems affected

Various vendors Any application

Type

Pre-attack Probe

Vulnerability description

During a normal TCP connection, the source initiates the connection by sending a SYN packet to a port on the destination system. If a service is listening on that port, the service responds with a SYN/ACK packet. The client initiating the connection then responds with an ACK packet, and the connection is established. If the destination host is not waiting for a connection on the specified port, it responds with an RST packet. Most system logs do not log completed connections until the final ACK packet is received from the source.

Sending other types of packets that do not follow this sequence can elicit useful responses from the target host, without causing a connection to be logged. This is known as a TCP half scan, or a stealth scan, because it does not generate a log entry on the scanned host. An attacker can send several different type of packets to initiate various types of stealth scans, such as the following:

A stealth scan is dangerous because it allows an attacker to determine which ports are open on a target host, without being detected by the host operating system.

How to remove this vulnerability

Upgrade your firewall to a system that understands the state of TCP connections and rejects stealth scan packets. Stateful Inspections and Proxy firewalls will defeat IP half scan attacks.

If you see this attack, log the address of the scanning entity. Contact the domain administrator of the source domain to verify the address and the intent behind the scan. Pay close attention to the log files of scanned hosts. If appropriate, reconfigure your firewalls to inhibit traffic from the source of the scans.

References

ISS X-Force
TCP Half scan (Stealth scan)
http://www.iss.net/security_center/static/405.php