Fin attack twice on same day from same IP

Posted on 2006-05-16
Last Modified: 2010-03-05
My sonicwall log reports 2 probably fin scans from the same IP, both today, how worried should I be and what action can I take?
Question by:compuken
    LVL 5

    Accepted Solution

    Not hugely - likely someone just scanning IP ranges looking for vulnerabilities.

    These scans are usually scripted looking for a specific vulnerability(ies) and they will either log or possibly automatically attempt to exploit the vulnerability if they find it.  They are often very dumb - e.g just looking for a specific port then attempting to exploit it without even checking the O/S for  example, but they can be more sophisticated.

    If you are concerned you could block that IP address, but as long as your firewall is dropping those packets the potential attacker will not be get mush useful back other than that there is no reply so I would just keep an eye on the logs to ensure it stops.


    LVL 32

    Assisted Solution

    Scans and attacks that you know about and are stopped by you firewall are not of much concern.  It's the ones that slip through and you DON'T know about that are the problem.

    It sounds to me like the SonicWall is doing its job and you have already taken all the action needed, i.e. installing the SonicWall.  My recommendation would be to keep it up-to-date and be sure it's only passing the things you want it to.
    LVL 23

    Assisted Solution

    by:Tim Holman
    You don't need to be worried.  There's very little action you can take, other than identifying the owner of the netblock and telling them to stop it, but believe me, they'll have bigger issues to deal with than just a couple of FIN scans targeting a home/DSL user!
    LVL 2

    Author Comment

    We are a business, which is why I was concerned, we have gotten a new ip and whereas before, we had a modem/router that went to our sonicwall firewall then to our lan router, now it goes right through the modem part into the sonicwall and the modem/router is now just a modem, so we are a little more exposed and now all things the modem/router blocked is now going to the sonicwall. We are getting about 2 smurf and fin scan a day.
    LVL 5

    Expert Comment


    I would say that is pretty normal (actually sounds quite low).

    The average time from putting a machine on the internet to it getting a scan of some sort is apparently under 15 minutes.

    Many people (e.g. script kiddies etc) have machines that are constantly scanning IP ranges for whatever vulnerability they currently want to exploit.

    You'll probably find you have always been getting various vulnerability and port scans etc but your router was dropping many of them so they weren't hitting the firewall and showing up in your logs.
    It sounds like the firewall is doing exactly what it should and dropping the packets.
    LVL 2

    Author Comment

    Thanks for your suggestions/comments, I feel a little safer

    Featured Post

    Courses: Start Training Online With Pros, Today

    Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

    Join & Write a Comment

    When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now