what is "Fin Scan"? How harmful is it?

what is "Fin Scan"? How harmful is it?

thx
LVL 1
Y YconsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jvuzCommented:
In what context?
Luc FrankenEMEA Server EngineerCommented:
Hi techcity,

You might want to take a look here:
http://securityresponse.symantec.com/avcenter/security/Content/2002.05.16.html

It's really low risk, it's only searching for open ports, if you use a good firewall you'll be fine.

Greetings,

LucF
Luc FrankenEMEA Server EngineerCommented:
More information about different packages I found here: http://www.linux-magazine.com/issue/04/snort_nmap.pdf (page 47)
Need More Insight Into What’s Killing Your Network

Flow data analysis from SolarWinds NetFlow Traffic Analyzer (NTA), along with Network Performance Monitor (NPM), can give you deeper visibility into your network’s traffic.

chicagoanCommented:
From ISS:

The typical TCP scan attempts to open connections (at least part way). Another technique sends erroneous packets at a port, expecting that "open" listening ports will send back different error messages than "closed" ports.

The most common of these scans is the FIN scan, which attempts to close a connection that isn't open. If no service is listening at the target port, the operating system will generate an error message. If a service is listening, the operating system will silently drop the incoming packet. Therefore, no response indicates a listening service at the port. However, since packets can be dropped accidentally on the wire or by firewalls, this isn't a very effective scan.

Other techniques might consist of XMAS scans where all flags in the TCP packet are set, or NULL scans where none of the bits are set. However, different operating systems respond differently to these scans.
Joseph_MooreCommented:
Here is the description of a FIN scan from Insecure.org, the home of NMAP:

"TCP FIN scanning : There are times when even SYN scanning isn't clandestine enough. Some firewalls and packet filters watch for SYNs to restricted ports, and programs like synlogger and Courtney are available to detect these scans. FIN packets, on the other hand, may be able to pass through unmolested. This scanning technique was featured in detail by Uriel Maimon in Phrack 49, article 15. The idea is that closed ports tend to reply to your FIN packet with the proper RST. Open ports, on the other hand, tend to ignore the packet in question. As Alan Cox has pointed out, this is required TCP behavior. However, some systems (notably Micro$oft boxes), are broken in this regard. They send RST's regardless of the port state, and thus they aren't vulnerable to this type of scan. It works well on most other systems I've tried. Actually, it is often useful to discriminate between a *NIX and NT box, and this can be used to do that. FIN scanning is the -U (Uriel) option of nmap."

This description is found here:
http://www.insecure.org/nmap/nmap_doc.html#fin
chris_calabreseCommented:
The bottom line is that you see this when someone is fishing to see what you have running on your servers/networks.

FIN scans and other types of bizarro TCP-option scans SHOULD be blocked by any good firewall. Unfortunately, many firewalls that a lot of people think are good aren't.

The scan itself isn't a threat, but it is the precursor to an actual attack.

For example, an attacker might FIN-scan your network and find all the systems running something on port 80 (usually HTTP). They then can target those systems for various webserver attacks and waltz in (assuming any of the servers are vulnerable to any of the attacks in their bag of tricks, but this is almost certainly the case if your're running IIS and you don't have the very very latest patches).
chicagoanCommented:
fin scan is a port scan designed to ferret out services surreptitiously
If a service is identified, known vulnerabilities can be used to exploit those services
This is a primitive attempt at evading Intrusion Detection Systems
Your system correctly identified the probe, blocking such packets is good
samsternCommented:
Hi,

A FIN scan is a type of scan whose usual aim is to perform network reconnaissance. What's attractive about A FIN scan from the attacker's point of view is that the attacker sends a special signal  (a tcp packet with only the FIN flag set) that tends to get past many firewalls. Some firewalls do not even log the attempt! The scan takes the form of a signal that says "hi, I've finished my communications on this port" and the computer this scanned sends back the signal that says "acknowledged, yup communications are done" (And closes any open communications on that port if they have the right bug and it's not patched) or "I'm sorry that port is closed" or perhaps (rarely) "Odd. There is a problem that port did not have communications with you". This tells the attacker several things: The port is open and ready, there is a computer there BUT the port is not accepting communications. Further the Attacker gets to learn a bit about the victim OS. However, this form of scanning does not work very well against Windows PC's. You see all modern Windows PC's have a flaw where they send back the "acknowledged" response no matter if the port is open or not. Thus all an attacker can learn about a windows pc by fin scanning is that the windows PC is up and running and that it's not running a very good firewall. However, even if the firewall is not that good, you cannot actually exploit the information you receive from a FIN to attack a given port with the intent of starting communications unless the firewall does not block a SYN packet to the port in question - even poorer firewall will block this.
What is interesting about information returned from a FIN scan is that there attacks that use FIN packets to disrupt communications between two systems (via spoofing) by convincing the attacked computer not to talk to the other computer any more. That's how folks get bounced from AIM or AOL allot. Also, the FIN packet can be used to reboot or freeze unpatched systems using specially constructed FIN packets such as produced by the infamous Jolt2 attack. Jolt2 does not work against any patches system and patches have been available since 1999 or thereabouts. Regardless of intent these FIN based attacks get logged as a "FIN scan" by many consumer firewalls.

Besides limited information gather potential of FIN scans, and the limited DoS potential of a FIN packet, FIN scans are not seen "in the wild" as much as other scanning types. FIN scans are often seen as part an attempt to "fingerprint" or identify a given OS more than they are used to actually scan a system. The attacker can learn allot more about a system using half open, or ACK scanning (if they are being stealthy). Most firewall manufacturers consider FIN scanning to low risk for these reasons.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.