• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 476
  • Last Modified:

Fin attack twice on same day from same IP

My sonicwall log reports 2 probably fin scans from the same IP, both today, how worried should I be and what action can I take?
3 Solutions
Not hugely - likely someone just scanning IP ranges looking for vulnerabilities.

These scans are usually scripted looking for a specific vulnerability(ies) and they will either log or possibly automatically attempt to exploit the vulnerability if they find it.  They are often very dumb - e.g just looking for a specific port then attempting to exploit it without even checking the O/S for  example, but they can be more sophisticated.

If you are concerned you could block that IP address, but as long as your firewall is dropping those packets the potential attacker will not be get mush useful back other than that there is no reply so I would just keep an eye on the logs to ensure it stops.


Scans and attacks that you know about and are stopped by you firewall are not of much concern.  It's the ones that slip through and you DON'T know about that are the problem.

It sounds to me like the SonicWall is doing its job and you have already taken all the action needed, i.e. installing the SonicWall.  My recommendation would be to keep it up-to-date and be sure it's only passing the things you want it to.
Tim HolmanCommented:
You don't need to be worried.  There's very little action you can take, other than identifying the owner of the netblock and telling them to stop it, but believe me, they'll have bigger issues to deal with than just a couple of FIN scans targeting a home/DSL user!
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

compukenAuthor Commented:
We are a business, which is why I was concerned, we have gotten a new ip and whereas before, we had a modem/router that went to our sonicwall firewall then to our lan router, now it goes right through the modem part into the sonicwall and the modem/router is now just a modem, so we are a little more exposed and now all things the modem/router blocked is now going to the sonicwall. We are getting about 2 smurf and fin scan a day.

I would say that is pretty normal (actually sounds quite low).

The average time from putting a machine on the internet to it getting a scan of some sort is apparently under 15 minutes.

Many people (e.g. script kiddies etc) have machines that are constantly scanning IP ranges for whatever vulnerability they currently want to exploit.

You'll probably find you have always been getting various vulnerability and port scans etc but your router was dropping many of them so they weren't hitting the firewall and showing up in your logs.
It sounds like the firewall is doing exactly what it should and dropping the packets.
compukenAuthor Commented:
Thanks for your suggestions/comments, I feel a little safer
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now