Unintended consequences of half open scans
February 21st, 2008 by webstersprodigy
Short analysis of the nmap half open scans (also called syn scans).
These scans are distinguished from the default operation of full connection scans, which completes the full tcp handshake. i.e.
SYN –>
<—SYN+ACK
ACK–>
A half open scan just does
SYN–>
<–SYN+ACK
The scanner determines weather the port is up or not based on if the SYN+ACK comes back. Obviously, the final ack is never sent back. This can be performed by
$ nmap -P0 -sS target
This was a popular method due to it being ‘stealthy’ though it’s not so much stealthy anymore and because it’s fast – though it’s not really faster than the default, at least after doing some initial benchmarks.
Anyways, now to something everyone doesn’t already know (maybe, at least I didn’t).
nmap uses raw sockets to craft these packets, which is why syn scans must be run as root. What’s interesting is that if the remote host responds with a SYN+ACK – the local stack receives this packet, which did not come from the local stack (because again, it was crafted with a raw socket by nmap). As far as the scanning computer knows, the SYN+ACK is not part of a handshake and appears to have come out of nowhere, so the scanner sends a RST back to the target system. Nuts.
Anyway, you can stop this by using simple iptables, on INPUT or OUTPUT, by having a default drop policy (only allowing ESTABLISHED,RELATED and known services through is probably a good rule of thumb).