Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 401
  • Last Modified:

Fin attack twice on same day from same IP

My sonicwall log reports 2 probably fin scans from the same IP, both today, how worried should I be and what action can I take?
3 Solutions
Not hugely - likely someone just scanning IP ranges looking for vulnerabilities.

These scans are usually scripted looking for a specific vulnerability(ies) and they will either log or possibly automatically attempt to exploit the vulnerability if they find it.  They are often very dumb - e.g just looking for a specific port then attempting to exploit it without even checking the O/S for  example, but they can be more sophisticated.

If you are concerned you could block that IP address, but as long as your firewall is dropping those packets the potential attacker will not be get mush useful back other than that there is no reply so I would just keep an eye on the logs to ensure it stops.


Scans and attacks that you know about and are stopped by you firewall are not of much concern.  It's the ones that slip through and you DON'T know about that are the problem.

It sounds to me like the SonicWall is doing its job and you have already taken all the action needed, i.e. installing the SonicWall.  My recommendation would be to keep it up-to-date and be sure it's only passing the things you want it to.
Tim HolmanCommented:
You don't need to be worried.  There's very little action you can take, other than identifying the owner of the netblock and telling them to stop it, but believe me, they'll have bigger issues to deal with than just a couple of FIN scans targeting a home/DSL user!
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

compukenAuthor Commented:
We are a business, which is why I was concerned, we have gotten a new ip and whereas before, we had a modem/router that went to our sonicwall firewall then to our lan router, now it goes right through the modem part into the sonicwall and the modem/router is now just a modem, so we are a little more exposed and now all things the modem/router blocked is now going to the sonicwall. We are getting about 2 smurf and fin scan a day.

I would say that is pretty normal (actually sounds quite low).

The average time from putting a machine on the internet to it getting a scan of some sort is apparently under 15 minutes.

Many people (e.g. script kiddies etc) have machines that are constantly scanning IP ranges for whatever vulnerability they currently want to exploit.

You'll probably find you have always been getting various vulnerability and port scans etc but your router was dropping many of them so they weren't hitting the firewall and showing up in your logs.
It sounds like the firewall is doing exactly what it should and dropping the packets.
compukenAuthor Commented:
Thanks for your suggestions/comments, I feel a little safer

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now