In what context?

Hi techcity,

You might want to take a look here:
http://securityresponse.symantec.com/avcenter/security/Content/2002.05.16.html

It's really low risk, it's only searching for open ports, if you use a good firewall you'll be fine.

Greetings,

LucF

More information about different packages I found here: http://www.linux-magazine.com/issue/04/snort_nmap.pdf (page 47)

From ISS:

The typical TCP scan attempts to open connections (at least part way). Another technique sends erroneous packets at a port, expecting that "open" listening ports will send back different error messages than "closed" ports.

The most common of these scans is the FIN scan, which attempts to close a connection that isn't open. If no service is listening at the target port, the operating system will generate an error message. If a service is listening, the operating system will silently drop the incoming packet. Therefore, no response indicates a listening service at the port. However, since packets can be dropped accidentally on the wire or by firewalls, this isn't a very effective scan.

Other techniques might consist of XMAS scans where all flags in the TCP packet are set, or NULL scans where none of the bits are set. However, different operating systems respond differently to these scans.

Here is the description of a FIN scan from Insecure.org, the home of NMAP:

"TCP FIN scanning : There are times when even SYN scanning isn't clandestine enough. Some firewalls and packet filters watch for SYNs to restricted ports, and programs like synlogger and Courtney are available to detect these scans. FIN packets, on the other hand, may be able to pass through unmolested. This scanning technique was featured in detail by Uriel Maimon in Phrack 49, article 15. The idea is that closed ports tend to reply to your FIN packet with the proper RST. Open ports, on the other hand, tend to ignore the packet in question. As Alan Cox has pointed out, this is required TCP behavior. However, some systems (notably Micro$oft boxes), are broken in this regard. They send RST's regardless of the port state, and thus they aren't vulnerable to this type of scan. It works well on most other systems I've tried. Actually, it is often useful to discriminate between a *NIX and NT box, and this can be used to do that. FIN scanning is the -U (Uriel) option of nmap."

This description is found here:
http://www.insecure.org/nmap/nmap_doc.html#fin

The bottom line is that you see this when someone is fishing to see what you have running on your servers/networks.

FIN scans and other types of bizarro TCP-option scans SHOULD be blocked by any good firewall. Unfortunately, many firewalls that a lot of people think are good aren't.

The scan itself isn't a threat, but it is the precursor to an actual attack.

For example, an attacker might FIN-scan your network and find all the systems running something on port 80 (usually HTTP). They then can target those systems for various webserver attacks and waltz in (assuming any of the servers are vulnerable to any of the attacks in their bag of tricks, but this is almost certainly the case if your're running IIS and you don't have the very very latest patches).

fin scan is a port scan designed to ferret out services surreptitiously
If a service is identified, known vulnerabilities can be used to exploit those services
This is a primitive attempt at evading Intrusion Detection Systems
Your system correctly identified the probe, blocking such packets is good